CVE-2026-2006
Undergoing Analysis Undergoing Analysis - In Progress
Buffer Overflow in PostgreSQL Text Handling Enables Code Execution

Publication date: 2026-02-12

Last updated on: 2026-02-20

Assigner: PostgreSQL

Description
Missing validation of multibyte character length in PostgreSQL text manipulation allows a database user to issue crafted queries that achieve a buffer overrun. That suffices to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-12
Last Modified
2026-02-20
Generated
2026-06-16
AI Q&A
2026-02-12
EPSS Evaluated
2026-06-14
NVD
CVE-2026-2006
EUVD
EUVD-2026-6186
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
postgresql postgresql From 18.0 (inc) to 18.2 (exc)
postgresql postgresql From 14.0 (inc) to 14.21 (exc)
postgresql postgresql From 15.0 (inc) to 15.16 (exc)
postgresql postgresql From 16.0 (inc) to 16.12 (exc)
postgresql postgresql From 17.0 (inc) to 17.8 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-129 The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-2006 is a vulnerability in PostgreSQL caused by missing validation of multibyte character length during text manipulation.

This flaw allows a database user to craft specific queries that trigger a buffer overrun.

As a result, the attacker can execute arbitrary code with the privileges of the operating system user running the PostgreSQL server.

The vulnerability affects all PostgreSQL versions prior to 18.2, 17.8, 16.12, 15.16, and 14.21.

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability can have a severe impact because it allows an attacker to execute arbitrary code on the system running the PostgreSQL database.'}, {'type': 'paragraph', 'content': "Since the code runs with the operating system user's privileges, it can lead to full compromise of the database server."}, {'type': 'paragraph', 'content': 'The CVSS score of 8.8 indicates high severity, with potential impacts on confidentiality, integrity, and availability of data.'}] [1]

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, you should upgrade PostgreSQL to a fixed version. The vulnerability is resolved in PostgreSQL versions 18.2, 17.8, 16.12, 15.16, and 14.21 or later.

Applying these updates will prevent exploitation of the buffer overrun caused by missing validation of multibyte character length during text manipulation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2006. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart