HIGHCVE-2026-2006Published Modified CNA PostgreSQL
CVE-2026-2006: PostgreSQL missing validation of multibyte character length executes arbitrary code
Missing validation of multibyte character length in PostgreSQL text manipulation allows a database user to issue crafted queries that achieve a buffer overrun. That suffices to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.
Metrics
- CVSS v3.1
- 8.8
- Severity
- HIGH
- Fixed in
- 14.21
- Affected Products
- 1
Fix available
14.2115.1616.1217.818.2
Affected packages
- n/a / PostgreSQL< 18.2 (from 18) · < 17.8 (from 17) · < 16.12 (from 16) · < 15.16 (from 15) · < 14.21 (from 0)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HReferences