CVE-2026-2006

Published: Feb 12, 2026Modified: Feb 20, 2026

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: f86ef6dc-4d3a-42ad-8f28-e6d5547a5007 (Secondary)

Description

Missing validation of multibyte character length in PostgreSQL text manipulation allows a database user to issue crafted queries that achieve a buffer overrun. That suffices to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.

Affected (5)

Products: Postgresql: Postgresql

Postgresql

1 product

Postgresql

Configuration A

5 vulnerable

Vulnerable Software	Affected Versions
Postgresql Postgresql	From 14.0 to 14.21
Postgresql Postgresql	From 15.0 to 15.16
Postgresql Postgresql	From 16.0 to 16.12
Postgresql Postgresql	From 17.0 to 17.8
Postgresql Postgresql	From 18.0 to 18.2

Related CWEs

CWE-129

Improper Validation of Array Index

The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array.

References (1)

https://www.postgresql.org/support/security/CVE-2026-2006/

Source: f86ef6dc-4d3a-42ad-8f28-e6d5547a5007

Vendor Advisory

Timeline

No history available yet.