CVE-2026-2006

216.73.217.22

· Published 12/02/2026 14:16 · Modified 12/02/2026 15:10

Labels: CVE-2026-2006 2026-02-12 CVE-2026-2006 CWE-129 f86ef6dc-4d3a-42ad-8f28-e6d5547a5007

Essential information

Published: 12/02/2026 14:16
Modified: 12/02/2026 15:10
Author: —
Creator: —
CVSS: 8.8 HIGH (v3.1)
CISA KEV: No
CWE: —
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS metrics

Description

Missing validation of multibyte character length in PostgreSQL text manipulation allows a database user to issue crafted queries that achieve a buffer overrun. That suffices to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.

NVD status

Status: Undergoing Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source: f86ef6dc-4d3a-42ad-8f28-e6d5547a5007
NVD: View on NVD

Affected products (CPE)

Product	CPE
postgresql / postgresql	`cpe:2.3:a:postgresql:postgresql:<14.21:::::::*`
postgresql / postgresql	`cpe:2.3:a:postgresql:postgresql:<15.16:::::::*`
postgresql / postgresql	`cpe:2.3:a:postgresql:postgresql:<16.12:::::::*`
postgresql / postgresql	`cpe:2.3:a:postgresql:postgresql:<17.8:::::::*`
postgresql / postgresql	`cpe:2.3:a:postgresql:postgresql:<18.2:::::::*`