CVE-2026-2003 — Improper Validation of Specified Type of Input in Postgresql

CWE-1287 — Improper Validation of Specified Type of Input8 documents7 sources

Severity

4.3MEDIUMNVD

EPSS

0.0%

top 95.19%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Postgresql Debian Postgresql-13 Debian Postgresql-15 +2 more

Timeline

PublishedFeb 12

Latest updateMar 4

Description

Improper validation of type "oidvector" in PostgreSQL allows a database user to disclose a few bytes of server memory. We have not ruled out viability of attacks that arrange for presence of confidential information in disclosed bytes, but they seem unlikely. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages6 packages

▶debiandebian/postgresql-13< postgresql-13 13.23-0+deb11u2 (bullseye)

▶debiandebian/postgresql-15< postgresql-13 13.23-0+deb11u2 (bullseye)

▶debiandebian/postgresql-17< postgresql-13 13.23-0+deb11u2 (bullseye)

▶debiandebian/postgresql-18< postgresql-13 13.23-0+deb11u2 (bullseye)

▶CVEListV5postgresql/postgresql18 — 18.2+4

🔴Vulnerability Details

OSV

postgresql-14, postgresql-16, postgresql-17 vulnerabilities↗2026-03-04

▶

GHSA

GHSA-f3vj-j2m6-8hfj: Improper validation of type "oidvector" in PostgreSQL allows a database user to disclose a few bytes of server memory↗2026-02-12

▶

OSV

CVE-2026-2003: Improper validation of type "oidvector" in PostgreSQL allows a database user to disclose a few bytes of server memory↗2026-02-12

▶

📋Vendor Advisories

Ubuntu

PostgreSQL vulnerabilities↗2026-03-04

▶

Red Hat

postgresql: PostgreSQL oidvector discloses a few bytes of memory↗2026-02-12

▶

Debian

CVE-2026-2003: postgresql-13 - Improper validation of type "oidvector" in PostgreSQL allows a database user to ...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-2003 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶