CVE-2025-4207Buffer Over-read in Postgresql-13

CWE-126Buffer Over-readCWE-416Use After Free9 documents7 sources
Severity
5.9MEDIUMNVD
EPSS
0.3%
top 44.36%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
12
Debian Postgresql-13Debian Postgresql-15Debian Postgresql-17+9 more
Timeline
PublishedMay 8
Latest updateMay 21

Description

Buffer over-read in PostgreSQL GB18030 encoding validation allows a database input provider to achieve temporary denial of service on platforms where a 1-byte over-read can elicit process termination. This affects the database server and also libpq. Versions before PostgreSQL 17.5, 16.9, 15.13, 14.18, and 13.21 are affected.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 2.2 | Impact: 3.6

Affected Packages12 packages

debiandebian/postgresql-13< postgresql-13 13.21-0+deb11u1 (bullseye)
debiandebian/postgresql-15< postgresql-13 13.21-0+deb11u1 (bullseye)
debiandebian/postgresql-17< postgresql-13 13.21-0+deb11u1 (bullseye)

🔴Vulnerability Details

2
GHSA
GHSA-6x46-2273-xjjf: Buffer over-read in PostgreSQL GB18030 encoding validation allows a database input provider to achieve temporary denial of service on platforms where2025-05-08
OSV
CVE-2025-4207: Buffer over-read in PostgreSQL GB18030 encoding validation allows a database input provider to achieve temporary denial of service on platforms where2025-05-08

📋Vendor Advisories

6
Ubuntu
PostgreSQL vulnerability2025-05-21
Ubuntu
PostgreSQL vulnerability2025-05-20
Microsoft
PostgreSQL GB18030 encoding validation can read one byte past end of allocation for text that fails validation2025-05-13
Red Hat
postgresql: PostgreSQL GB18030 encoding validation can read one byte past end of allocation for text that fails validation2025-05-08
Debian
CVE-2025-4207: postgresql-13 - Buffer over-read in PostgreSQL GB18030 encoding validation allows a database inp...2025