PostgreSQL 18.2, 17.8, 16.12 Security Update Fixes 5 Vulnerabilities

The PostgreSQL Global Development Group has released security updates across all supported versions of the popular open-source database system. PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 were released on February 12, fixing five security vulnerabilities and over 65 bugs reported in recent months.

Critical Remote Code Execution Flaws

The most severe vulnerabilities allow attackers to execute arbitrary code on the database server. CVE-2026-2004 affects the intarray extension's selectivity estimator function, while CVE-2026-2005 involves a heap buffer overflow in the pgcrypto extension. Both vulnerabilities could allow an attacker to run malicious code as the operating system user running the database.

CVE-2026-2006 addresses missing validation of multibyte character length in text manipulation functions, which could lead to buffer overruns and code execution. Additionally, CVE-2026-2007 patches a heap buffer overflow in pg_trgm, though this vulnerability only affects PostgreSQL 18.

Information Disclosure Issue

CVE-2026-2003 fixes an improper validation issue in the oidvector type that could allow a database user to disclose a small amount of server memory. While less severe than the remote code execution flaws, this vulnerability still poses a risk to data confidentiality.

Immediate Update Recommended

The PostgreSQL team strongly recommends that all users upgrade to the latest patch release as soon as possible. The update process is straightforward for most installations, requiring only the replacement of binaries followed by a database restart. Organizations should prioritize this update given the severity of the vulnerabilities addressed.