CVE-2026-2007
Heap Buffer Overflow in PostgreSQL pg_trgm Risks Privilege Escalation
Publication date: 2026-02-12
Last updated on: 2026-02-20
Assigner: PostgreSQL
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| postgresql | postgresql | From 18.0 (inc) to 18.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-122 | A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc(). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-2007 is a heap buffer overflow vulnerability in the PostgreSQL pg_trgm extension affecting versions 18.0 and 18.1.
This flaw allows a database user to write crafted input patterns onto server memory with limited control over the byte patterns written.
Although the exact impact is unknown, it could potentially be exploited for privilege escalation.
How can this vulnerability impact me? :
The vulnerability can lead to integrity and availability issues in the affected PostgreSQL server.
- An attacker can exploit the heap buffer overflow to write crafted input to server memory.
- This may result in privilege escalation, allowing an attacker to gain higher access rights.
- The CVSS score indicates a high impact on availability and a low impact on integrity, but no confidentiality impact.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade PostgreSQL to version 18.2 or later, where the heap buffer overflow in the pg_trgm extension has been fixed.