Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

PostgreSQL: Missing Input Validation Can Execute Harmful Code

ALSA-2026:4110
Summary

A recent update fixes multiple security issues in PostgreSQL that could allow hackers to execute malicious code on your system. This could happen if an attacker sends specially crafted data to your database. You should update PostgreSQL to the latest version to protect your system.

What to do
  • Update almalinux pg_repack to version 1.5.1-1.module_el9.6.0+146+c54fdeca.
  • Update almalinux pgaudit to version 16.0-1.module_el9.4.0+66+eb9878bc.
  • Update almalinux pgvector to version 0.6.2-2.module_el9.6.0+167+4e561146.
  • Update almalinux postgis to version 3.5.3-3.module_el9.7.0+187+2286ff0a.
  • Update almalinux postgis-client to version 3.5.3-3.module_el9.7.0+187+2286ff0a.
  • Update almalinux postgis-docs to version 3.5.3-3.module_el9.7.0+187+2286ff0a.
  • Update almalinux postgis-upgrade to version 3.5.3-3.module_el9.7.0+187+2286ff0a.
  • Update almalinux postgis-utils to version 3.5.3-3.module_el9.7.0+187+2286ff0a.
  • Update almalinux postgres-decoderbufs to version 2.4.0-1.Final.module_el9.4.0+66+eb9878bc.
  • Update almalinux postgresql to version 16.13-1.module_el9.7.0+213+65e1da69.
  • Update almalinux postgresql-contrib to version 16.13-1.module_el9.7.0+213+65e1da69.
  • Update almalinux postgresql-docs to version 16.13-1.module_el9.7.0+213+65e1da69.
  • Update almalinux postgresql-plperl to version 16.13-1.module_el9.7.0+213+65e1da69.
  • Update almalinux postgresql-plpython3 to version 16.13-1.module_el9.7.0+213+65e1da69.
  • Update almalinux postgresql-pltcl to version 16.13-1.module_el9.7.0+213+65e1da69.
  • Update almalinux postgresql-private-devel to version 16.13-1.module_el9.7.0+213+65e1da69.
  • Update almalinux postgresql-private-libs to version 16.13-1.module_el9.7.0+213+65e1da69.
  • Update almalinux postgresql-server to version 16.13-1.module_el9.7.0+213+65e1da69.
  • Update almalinux postgresql-server-devel to version 16.13-1.module_el9.7.0+213+65e1da69.
  • Update almalinux postgresql-static to version 16.13-1.module_el9.7.0+213+65e1da69.
  • Update almalinux postgresql-test to version 16.13-1.module_el9.7.0+213+65e1da69.
  • Update almalinux postgresql-test-rpm-macros to version 16.13-1.module_el9.7.0+213+65e1da69.
  • Update almalinux postgresql-upgrade to version 16.13-1.module_el9.7.0+213+65e1da69.
  • Update almalinux postgresql-upgrade-devel to version 16.13-1.module_el9.7.0+213+65e1da69.
Affected software
VendorProductAffected versionsFix available
almalinux pg_repack <= 1.5.1-1.module_el9.6.0+146+c54fdeca 1.5.1-1.module_el9.6.0+146+c54fdeca
almalinux pgaudit <= 16.0-1.module_el9.4.0+66+eb9878bc 16.0-1.module_el9.4.0+66+eb9878bc
almalinux pgvector <= 0.6.2-2.module_el9.6.0+167+4e561146 0.6.2-2.module_el9.6.0+167+4e561146
almalinux postgis <= 3.5.3-3.module_el9.7.0+187+2286ff0a 3.5.3-3.module_el9.7.0+187+2286ff0a
almalinux postgis-client <= 3.5.3-3.module_el9.7.0+187+2286ff0a 3.5.3-3.module_el9.7.0+187+2286ff0a
almalinux postgis-docs <= 3.5.3-3.module_el9.7.0+187+2286ff0a 3.5.3-3.module_el9.7.0+187+2286ff0a
almalinux postgis-upgrade <= 3.5.3-3.module_el9.7.0+187+2286ff0a 3.5.3-3.module_el9.7.0+187+2286ff0a
almalinux postgis-utils <= 3.5.3-3.module_el9.7.0+187+2286ff0a 3.5.3-3.module_el9.7.0+187+2286ff0a
almalinux postgres-decoderbufs <= 2.4.0-1.Final.module_el9.4.0+66+eb9878bc 2.4.0-1.Final.module_el9.4.0+66+eb9878bc
almalinux postgresql <= 16.13-1.module_el9.7.0+213+65e1da69 16.13-1.module_el9.7.0+213+65e1da69
almalinux postgresql-contrib <= 16.13-1.module_el9.7.0+213+65e1da69 16.13-1.module_el9.7.0+213+65e1da69
almalinux postgresql-docs <= 16.13-1.module_el9.7.0+213+65e1da69 16.13-1.module_el9.7.0+213+65e1da69
almalinux postgresql-plperl <= 16.13-1.module_el9.7.0+213+65e1da69 16.13-1.module_el9.7.0+213+65e1da69
almalinux postgresql-plpython3 <= 16.13-1.module_el9.7.0+213+65e1da69 16.13-1.module_el9.7.0+213+65e1da69
almalinux postgresql-pltcl <= 16.13-1.module_el9.7.0+213+65e1da69 16.13-1.module_el9.7.0+213+65e1da69
almalinux postgresql-private-devel <= 16.13-1.module_el9.7.0+213+65e1da69 16.13-1.module_el9.7.0+213+65e1da69
almalinux postgresql-private-libs <= 16.13-1.module_el9.7.0+213+65e1da69 16.13-1.module_el9.7.0+213+65e1da69
almalinux postgresql-server <= 16.13-1.module_el9.7.0+213+65e1da69 16.13-1.module_el9.7.0+213+65e1da69
almalinux postgresql-server-devel <= 16.13-1.module_el9.7.0+213+65e1da69 16.13-1.module_el9.7.0+213+65e1da69
almalinux postgresql-static <= 16.13-1.module_el9.7.0+213+65e1da69 16.13-1.module_el9.7.0+213+65e1da69
almalinux postgresql-test <= 16.13-1.module_el9.7.0+213+65e1da69 16.13-1.module_el9.7.0+213+65e1da69
almalinux postgresql-test-rpm-macros <= 16.13-1.module_el9.7.0+213+65e1da69 16.13-1.module_el9.7.0+213+65e1da69
almalinux postgresql-upgrade <= 16.13-1.module_el9.7.0+213+65e1da69 16.13-1.module_el9.7.0+213+65e1da69
almalinux postgresql-upgrade-devel <= 16.13-1.module_el9.7.0+213+65e1da69 16.13-1.module_el9.7.0+213+65e1da69
Original title
Important: postgresql:16 security update
Original description
PostgreSQL is an advanced object-relational database management system (DBMS).

Security Fix(es):

* postgresql: PostgreSQL missing validation of multibyte character length executes arbitrary code (CVE-2026-2006)
* postgresql: PostgreSQL intarray missing validation of type of input to selectivity estimator executes arbitrary code (CVE-2026-2004)
* postgresql: PostgreSQL pgcrypto heap buffer overflow executes arbitrary code (CVE-2026-2005)


For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Published: 9 Mar 2026 · Updated: 13 Mar 2026 · First seen: 13 Mar 2026