CVE-2026-2005 - PostgreSQL pgcrypto heap buffer overflow executes arbitrary code

Suggest edits

First Published: 2026/02/12

Important: This is an assessment of the impact of CVE-2026-2005 on EDB products and services. It links to and details the CVE and supplements that information with EDB's own assessment.

Summary

Heap buffer overflow in PostgreSQL pgcrypto allows a ciphertext provider to execute arbitrary code as the operating system user running the database. Insufficient validation of ciphertext length and structure before copying decrypted data into heap-allocated buffers leads to memory corruption.

Vulnerability details

CVE-ID: CVE-2026-2005

CVE Publish Date: 2026-02-12

CVSS Base Score: 8.8

CVSS Temporal Score: Undefined

CVSS Environmental Score: Undefined

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected products and versions

PostgreSQL

  • All versions prior to 18.2
  • All versions prior to 17.8
  • All versions prior to 16.12
  • All versions prior to 15.16
  • All versions prior to 14.21

EDB Postgres Extended Server

  • All versions prior to 18.2.0
  • All versions prior to 17.8.0
  • All versions prior to 16.12.0
  • All versions prior to 15.16.0
  • All versions prior to 14.21.0

EDB Postgres Advanced Server

  • All versions prior to 18.2.0
  • All versions prior to 17.8.0
  • All versions prior to 16.12.0
  • All versions prior to 15.16.0
  • All versions prior to 14.21.0

Remediation/fixes

EDB Postgres Extended Server

Affected VersionFixed InFix Published
prior to 18.2.018.2.02026-02-12
prior to 17.8.017.8.02026-02-12
prior to 16.12.016.12.02026-02-12
prior to 15.16.015.16.02026-02-12
prior to 14.21.014.21.02026-02-12

EDB Postgres Advanced Server

Affected VersionFixed InFix Published
prior to 18.2.018.2.02026-02-12
prior to 17.8.017.8.02026-02-12
prior to 16.12.016.12.02026-02-12
prior to 15.16.015.16.02026-02-12
prior to 14.21.014.21.02026-02-12

References

Related information

Could this page be better? Report a problem or suggest an addition!