cbcvebase.
CVE-2026-2005
published 2026-02-12

CVE-2026-2005: Heap buffer overflow in PostgreSQL pgcrypto allows a ciphertext provider to execute arbitrary code as the operating system user running the database. Versions…

PriorityP261high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
1.21%
64.5th percentile
Heap buffer overflow in PostgreSQL pgcrypto allows a ciphertext provider to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.

Affected

15 ranges
VendorProductVersion rangeFixed in
apachehttpd
debianpostgresql-13< postgresql-13 13.23-0+deb11u2 (bullseye)postgresql-13 13.23-0+deb11u2 (bullseye)
debianpostgresql-15< postgresql-13 13.23-0+deb11u2 (bullseye)postgresql-13 13.23-0+deb11u2 (bullseye)
debianpostgresql-17< postgresql-13 13.23-0+deb11u2 (bullseye)postgresql-13 13.23-0+deb11u2 (bullseye)
debianpostgresql-18< postgresql-13 13.23-0+deb11u2 (bullseye)postgresql-13 13.23-0+deb11u2 (bullseye)
postgresqlpostgresql< 14.2114.21
postgresqlpostgresql>= 14.0 < 14.2114.21
postgresqlpostgresql>= 15 < 15.1615.16
postgresqlpostgresql>= 15.0 < 15.1615.16
postgresqlpostgresql>= 16 < 16.1216.12
postgresqlpostgresql>= 16.0 < 16.1216.12
postgresqlpostgresql>= 17 < 17.817.8
postgresqlpostgresql>= 17.0 < 17.817.8
postgresqlpostgresql>= 18 < 18.218.2
postgresqlpostgresql>= 18.0 < 18.218.2

Detection & IOCsextracted from sources · hover to see the quote

  • CVE-2026-2005 is a heap buffer overflow in the PostgreSQL pgcrypto extension. Detection should focus on unexpected code execution or crashes originating from the pgcrypto module in PostgreSQL processes.
  • The vulnerability is exploitable by a 'ciphertext provider', meaning the attack vector involves supplying crafted ciphertext input to pgcrypto functions. Monitor for anomalous or oversized ciphertext values passed to pgcrypto decrypt functions.
  • ·Affected versions are PostgreSQL 14 through 18.1 and earlier patch releases. Fixed versions are 18.2, 17.8, 16.12, 15.16, and 14.21. Ensure the running PostgreSQL version is checked against these thresholds.
  • ·No public exploit is currently available and the CVE is not listed in CISA KEV, reducing immediate exploitation risk, but the EPSS percentile of 7.8 indicates some probability of future exploitation.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv8.8HIGH
vendor_debian8.8HIGH
vendor_redhat8.8HIGH
vendor_apache5.4LOW
vendor_ubuntu4.3MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.