Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
PostgreSQL 17 Security Update: Fix Critical Server Memory and Code Execution Flaws
OESA-2026-1531
Summary
PostgreSQL 17 and earlier versions have security issues that can allow hackers to access sensitive data from the server or execute code on the server as the system administrator. This can happen if an attacker is able to access the database or if the database is compromised by a malicious user. To protect your database, update to version 18.2 or later.
What to do
- Update postgresql-17 to version 17.9-1.oe2403sp3.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | postgresql-17 | <= 17.9-1.oe2403sp3 | 17.9-1.oe2403sp3 |
Original title
postgresql-17 security update
Original description
PostgreSQL is an advanced Object-Relational database management system (DBMS). The base postgresql package contains the client programs that you&apos;ll need to access a PostgreSQL DBMS server, as well as HTML documentation for the whole system. These client programs can be located on the same machine as the PostgreSQL server, or on a remote machine that accesses a PostgreSQL server over a network connection. The PostgreSQL server can be found in the postgresql-server sub-package.
Security Fix(es):
Improper validation of type "oidvector" in PostgreSQL allows a database user to disclose a few bytes of server memory. We have not ruled out viability of attacks that arrange for presence of confidential information in disclosed bytes, but they seem unlikely. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.(CVE-2026-2003)
Missing validation of type of input in PostgreSQL intarray extension selectivity estimator function allows an object creator to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.(CVE-2026-2004)
Heap buffer overflow in PostgreSQL pgcrypto allows a ciphertext provider to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.(CVE-2026-2005)
Missing validation of multibyte character length in PostgreSQL text manipulation allows a database user to issue crafted queries that achieve a buffer overrun. That suffices to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.(CVE-2026-2006)
Security Fix(es):
Improper validation of type "oidvector" in PostgreSQL allows a database user to disclose a few bytes of server memory. We have not ruled out viability of attacks that arrange for presence of confidential information in disclosed bytes, but they seem unlikely. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.(CVE-2026-2003)
Missing validation of type of input in PostgreSQL intarray extension selectivity estimator function allows an object creator to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.(CVE-2026-2004)
Heap buffer overflow in PostgreSQL pgcrypto allows a ciphertext provider to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.(CVE-2026-2005)
Missing validation of multibyte character length in PostgreSQL text manipulation allows a database user to issue crafted queries that achieve a buffer overrun. That suffices to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.(CVE-2026-2006)
- https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA... Vendor Advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-2003 Vendor Advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-2004 Vendor Advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-2005 Vendor Advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-2006 Vendor Advisory
Published: 6 Mar 2026 · Updated: 6 Mar 2026 · First seen: 6 Mar 2026