CVE-2026-2006

PostgreSQL and Affected Versions PostgreSQL versions prior to 18.3 PostgreSQL versions prior to 17.9 PostgreSQL versions prior to 16.13 PostgreSQL versions prior to 15.17 PostgreSQL versions prior to 14.22 PostgreSQL version 9.3

Description PostgreSQL is susceptible to a buffer overrun due to missing validation of multibyte character length during text manipulation. This allows a database user to craft queries that can overwrite memory, potentially leading to arbitrary code execution with the privileges of the operating system user running the database. The issue is triggered when processing maliciously crafted queries, specifically in the PL/pgsql function compilation when handling CREATE FUNCTION statements. An attacker with CREATE privilege can define a PL/Python user-defined function containing arbitrary Python code that executes with the privileges of the PostgreSQL server process. Approximately 3 million instances are estimated to be exposed globally. The vulnerability affects the substring() function, which may raise an error when processing non-ASCII text values sourced from database columns.

Recommendations PostgreSQL versions prior to 18.3: Upgrade to version 18.3 or later. PostgreSQL versions prior to 17.9: Upgrade to version 17.9 or later. PostgreSQL versions prior to 16.13: Upgrade to version 16.13 or later. PostgreSQL versions prior to 15.17: Upgrade to version 15.17 or later. PostgreSQL versions prior to 14.22: Upgrade to version 14.22 or later. PostgreSQL version 9.3: Upgrade to a supported version of PostgreSQL.