cbcvebase.
CVE-2026-2006
published 2026-02-12

CVE-2026-2006: Missing validation of multibyte character length in PostgreSQL text manipulation allows a database user to issue crafted queries that achieve a buffer overrun…

PriorityP264high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
1.08%
60.9th percentile
Missing validation of multibyte character length in PostgreSQL text manipulation allows a database user to issue crafted queries that achieve a buffer overrun. That suffices to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.

Affected

16 ranges
VendorProductVersion rangeFixed in
apachehttpd
debianpostgresql-13< postgresql-13 13.23-0+deb11u2 (bullseye)postgresql-13 13.23-0+deb11u2 (bullseye)
debianpostgresql-15< postgresql-13 13.23-0+deb11u2 (bullseye)postgresql-13 13.23-0+deb11u2 (bullseye)
debianpostgresql-17< postgresql-13 13.23-0+deb11u2 (bullseye)postgresql-13 13.23-0+deb11u2 (bullseye)
debianpostgresql-18< postgresql-13 13.23-0+deb11u2 (bullseye)postgresql-13 13.23-0+deb11u2 (bullseye)
ensdomainsens-contracts0 – 1.6.2
postgresqlpostgresql< 14.2114.21
postgresqlpostgresql>= 14.0 < 14.2114.21
postgresqlpostgresql>= 15 < 15.1615.16
postgresqlpostgresql>= 15.0 < 15.1615.16
postgresqlpostgresql>= 16 < 16.1216.12
postgresqlpostgresql>= 16.0 < 16.1216.12
postgresqlpostgresql>= 17 < 17.817.8
postgresqlpostgresql>= 17.0 < 17.817.8
postgresqlpostgresql>= 18 < 18.218.2
postgresqlpostgresql>= 18.0 < 18.218.2

Detection & IOCsextracted from sources · hover to see the quote

  • Trigger condition: a database user issues crafted queries exploiting missing multibyte character length validation in PostgreSQL text manipulation functions, resulting in a buffer overrun and arbitrary code execution as the OS user running the database.
  • Affected component is PostgreSQL text manipulation (multibyte/character length handling); monitor for anomalous or oversized multibyte string inputs in SQL queries against PostgreSQL instances running versions before 18.2, 17.8, 16.12, 15.16, and 14.21.
  • ·No public exploit is available as of the published date; exploitation probability (EPSS) percentile is 9.7, meaning active in-the-wild exploitation has not been confirmed.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv8.8HIGH
vendor_debian8.8HIGH
vendor_redhat8.8HIGH
vendor_apache5.4LOW
vendor_ubuntu4.3MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.