CVE-2026-2006 - PostgreSQL missing validation of multibyte character length executes arbitrary code

Suggest edits

First Published: 2026/02/12

Important: This is an assessment of the impact of CVE-2026-2006 on EDB products and services. It links to and details the CVE and supplements that information with EDB's own assessment.

Summary

Missing validation of multibyte character length in PostgreSQL text manipulation allows a database user to issue crafted queries that achieve a buffer overrun. This can lead to arbitrary code execution as the operating system user running the database.

Vulnerability details

CVE-ID: CVE-2026-2006

CVE Publish Date: 2026-02-12

CVSS Base Score: 8.8

CVSS Temporal Score: Undefined

CVSS Environmental Score: Undefined

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected products and versions

PostgreSQL

  • All versions prior to 18.2
  • All versions prior to 17.8
  • All versions prior to 16.12
  • All versions prior to 15.16
  • All versions prior to 14.21

EDB Postgres Extended Server

  • All versions prior to 18.2.0
  • All versions prior to 17.8.0
  • All versions prior to 16.12.0
  • All versions prior to 15.16.0
  • All versions prior to 14.21.0

EDB Postgres Advanced Server

  • All versions prior to 18.2.0
  • All versions prior to 17.8.0
  • All versions prior to 16.12.0
  • All versions prior to 15.16.0
  • All versions prior to 14.21.0

Remediation/fixes

EDB Postgres Extended Server

Affected VersionFixed InFix Published
prior to 18.2.018.2.02026-02-12
prior to 17.8.017.8.02026-02-12
prior to 16.12.016.12.02026-02-12
prior to 15.16.015.16.02026-02-12
prior to 14.21.014.21.02026-02-12

EDB Postgres Advanced Server

Affected VersionFixed InFix Published
prior to 18.2.018.2.02026-02-12
prior to 17.8.017.8.02026-02-12
prior to 16.12.016.12.02026-02-12
prior to 15.16.015.16.02026-02-12
prior to 14.21.014.21.02026-02-12

References

Related information

Could this page be better? Report a problem or suggest an addition!