PostgreSQL Security Update Advisory

Overview

 

We have released a security update to address a vulnerability in PostgreSQL. Users of affected products are advised to update to the latest version.
 

 

Affected Products

 

CVE-2026-2004, CVE-2026-2005, CVE-2026-2006

 

PostgreSQL versions: 18.2 and earlier
PostgreSQL versions: 17.8 and earlier
PostgreSQL versions: 16.12 and earlier
PostgreSQL versions: 15.16 and earlier
PostgreSQL versions: 14.21 and earlier

 

CVE-2026-2007

 

PostgreSQL Version: 18.1
PostgreSQL version: 18.0

 

 

Resolved Vulnerabilities

 

Arbitrary code execution vulnerability due to missing input type validation in the selectivity estimator function in the PostgreSQL intarray extension module (CVE-2026-2004)
Arbitrary code execution vulnerability due to a heap buffer overflow in pgcrypto in PostgreSQL (CVE-2026-2005)
Arbitrary code execution vulnerability due to missing multibyte character length validation in PostgreSQL (CVE-2026-2006)
Heap buffer overflow vulnerability in pg_trgm in PostgreSQL (CVE-2026-2007)

 

 

Vulnerability Patches

Vulnerability patches have been made available in the latest updates. Please follow the instructions on the Referenced Sites to update to the latest Vulnerability Patches version.

 

CVE-2026-2004, CVE-2026-2005, CVE-2026-2006

 

PostgreSQL version: 18.2
PostgreSQL version: 17.8
PostgreSQL version: 16.12
PostgreSQL version: 15.16
PostgreSQL version: 14.21

 

CVE-2026-2007

 

PostgreSQL version: 18.2

 

 

References

 

[1] CVE-2026-2004
https://www.postgresql.org/support/security/CVE-2026-2004/
[2] CVE-2026-2005
https://www.postgresql.org/support/security/CVE-2026-2005/
[3] CVE-2026-2006
https://www.postgresql.org/support/security/CVE-2026-2006/
[4] CVE-2026-2007
https://www.postgresql.org/support/security/CVE-2026-2007/