CVE-2026-2003
Undergoing Analysis Undergoing Analysis - In Progress
Information Disclosure via Improper oidvector Validation in PostgreSQL

Publication date: 2026-02-12

Last updated on: 2026-02-20

Assigner: PostgreSQL

Description
Improper validation of type "oidvector" in PostgreSQL allows a database user to disclose a few bytes of server memory. We have not ruled out viability of attacks that arrange for presence of confidential information in disclosed bytes, but they seem unlikely. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-12
Last Modified
2026-02-20
Generated
2026-06-16
AI Q&A
2026-02-12
EPSS Evaluated
2026-06-14
NVD
CVE-2026-2003
EUVD
EUVD-2026-7039
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
postgresql postgresql From 18.0 (inc) to 18.2 (exc)
postgresql postgresql From 14.0 (inc) to 14.21 (exc)
postgresql postgresql From 15.0 (inc) to 15.16 (exc)
postgresql postgresql From 16.0 (inc) to 16.12 (exc)
postgresql postgresql From 17.0 (inc) to 17.8 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1287 The product receives input that is expected to be of a certain type, but it does not validate or incorrectly validates that the input is actually of the expected type.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-2003 is a vulnerability in PostgreSQL caused by improper validation of the oidvector data type.

This flaw allows a database user to disclose a few bytes of server memory.

While it is possible that these disclosed bytes could contain confidential information, such attacks are considered unlikely.

The vulnerability affects PostgreSQL versions prior to 18.2, 17.8, 16.12, 15.16, and 14.21.

Impact Analysis

This vulnerability can lead to the disclosure of a small amount of server memory to a database user.

Although the disclosed memory might contain confidential information, the likelihood of such an event is considered low.

The impact is limited to confidentiality with no effect on data integrity or availability.

The CVSS score of 4.3 reflects a low severity with network attack vector, low attack complexity, and low privileges required.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, you should upgrade PostgreSQL to one of the fixed versions: 18.2, 17.8, 16.12, 15.16, or 14.21 or later.

Applying the patches released on February 12, 2026, will address the improper validation of the oidvector data type and prevent disclosure of server memory bytes.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2003. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart