CVE-2026-2003
Undergoing Analysis Undergoing Analysis - In Progress
Information Disclosure via Improper oidvector Validation in PostgreSQL

Publication date: 2026-02-12

Last updated on: 2026-02-20

Assigner: PostgreSQL

Description
Improper validation of type "oidvector" in PostgreSQL allows a database user to disclose a few bytes of server memory. We have not ruled out viability of attacks that arrange for presence of confidential information in disclosed bytes, but they seem unlikely. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-12
Last Modified
2026-02-20
Generated
2026-05-06
AI Q&A
2026-02-12
EPSS Evaluated
2026-05-05
NVD
CVE-2026-2003
EUVD
EUVD-2026-7039
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
postgresql postgresql From 18.0 (inc) to 18.2 (exc)
postgresql postgresql From 14.0 (inc) to 14.21 (exc)
postgresql postgresql From 15.0 (inc) to 15.16 (exc)
postgresql postgresql From 16.0 (inc) to 16.12 (exc)
postgresql postgresql From 17.0 (inc) to 17.8 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1287 The product receives input that is expected to be of a certain type, but it does not validate or incorrectly validates that the input is actually of the expected type.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-2003 is a vulnerability in PostgreSQL caused by improper validation of the oidvector data type.

This flaw allows a database user to disclose a few bytes of server memory.

While it is possible that these disclosed bytes could contain confidential information, such attacks are considered unlikely.

The vulnerability affects PostgreSQL versions prior to 18.2, 17.8, 16.12, 15.16, and 14.21.


How can this vulnerability impact me? :

This vulnerability can lead to the disclosure of a small amount of server memory to a database user.

Although the disclosed memory might contain confidential information, the likelihood of such an event is considered low.

The impact is limited to confidentiality with no effect on data integrity or availability.

The CVSS score of 4.3 reflects a low severity with network attack vector, low attack complexity, and low privileges required.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, you should upgrade PostgreSQL to one of the fixed versions: 18.2, 17.8, 16.12, 15.16, or 14.21 or later.

Applying the patches released on February 12, 2026, will address the improper validation of the oidvector data type and prevent disclosure of server memory bytes.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart