CVE-2026-2003

Published: Feb 12, 2026Modified: Feb 20, 2026

4.3

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Exploitability: 2.8 / Impact: 1.4

Source: f86ef6dc-4d3a-42ad-8f28-e6d5547a5007 (Secondary)

Description

Improper validation of type "oidvector" in PostgreSQL allows a database user to disclose a few bytes of server memory. We have not ruled out viability of attacks that arrange for presence of confidential information in disclosed bytes, but they seem unlikely. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.

Affected (5)

Products: Postgresql: Postgresql

Postgresql

1 product

Postgresql

Configuration A

5 vulnerable

Vulnerable Software	Affected Versions
Postgresql Postgresql	From 14.0 to 14.21
Postgresql Postgresql	From 15.0 to 15.16
Postgresql Postgresql	From 16.0 to 16.12
Postgresql Postgresql	From 17.0 to 17.8
Postgresql Postgresql	From 18.0 to 18.2

Related CWEs

CWE-1287

Improper Validation of Specified Type of Input

The product receives input that is expected to be of a certain type, but it does not validate or incorrectly validates that the input is actually of the expected type.

References (1)

https://www.postgresql.org/support/security/CVE-2026-2003/

Source: f86ef6dc-4d3a-42ad-8f28-e6d5547a5007

Vendor Advisory

Timeline

No history available yet.