CVE-2026-2005

Undergoing Analysis Undergoing Analysis - In Progress

Heap Buffer Overflow in PostgreSQL pgcrypto Enables Code Execution

Publication date: 2026-02-12

Last updated on: 2026-02-20

Assigner: PostgreSQL

Description

Heap buffer overflow in PostgreSQL pgcrypto allows a ciphertext provider to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-02-12

Last Modified

2026-02-20

Generated

2026-06-16

AI Q&A

2026-02-12

EPSS Evaluated

2026-06-14

NVD

CVE-2026-2005

EUVD

EUVD-2026-6182

Affected Vendors & Products

Vendor	Product	Version / Range
postgresql	postgresql	From 18.0 (inc) to 18.2 (exc)
postgresql	postgresql	From 14.0 (inc) to 14.21 (exc)
postgresql	postgresql	From 15.0 (inc) to 15.16 (exc)
postgresql	postgresql	From 16.0 (inc) to 16.12 (exc)
postgresql	postgresql	From 17.0 (inc) to 17.8 (exc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-122	A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().

Attack-Flow Graph

Executive Summary

CVE-2026-2005 is a heap buffer overflow vulnerability in the PostgreSQL pgcrypto module.

This flaw allows a ciphertext provider to execute arbitrary code with the privileges of the operating system user running the database.

It affects PostgreSQL versions prior to 18.2, 17.8, 16.12, 15.16, and 14.21.

Impact Analysis

An attacker exploiting this vulnerability can execute arbitrary code on the system with the same privileges as the operating system user running the PostgreSQL database.

This can lead to a full compromise of the database server, including unauthorized access, modification, or deletion of data.

The vulnerability has a high impact on confidentiality, integrity, and availability of the affected system.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate the CVE-2026-2005 vulnerability, users should upgrade PostgreSQL to the fixed versions released on February 12, 2026.

Upgrade to PostgreSQL version 18.2 or later.
Upgrade to PostgreSQL version 17.8 or later.
Upgrade to PostgreSQL version 16.12 or later.
Upgrade to PostgreSQL version 15.16 or later.
Upgrade to PostgreSQL version 14.21 or later.

Hi! I’m here to help you understand CVE-2026-2005. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2026-2005

Heap Buffer Overflow in PostgreSQL pgcrypto Enables Code Execution

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart