PostgreSQL Schedules Emergency Out-of-Cycle Release After Regression in February Update

The PostgreSQL Global Development Group announced an unscheduled, out-of-cycle release for February 26, 2026, after discovering two significant regressions introduced in the February 12 security update that shipped versions 18.2, 17.8, 16.12, 15.16, and 14.21. The emergency release will ship fixes as versions 18.3, 17.9, 16.13, 15.17, and 14.22.

Regressions Introduced by the February Security Update

The first regression affects the substring() function. The fix for CVE-2026-2006 — which closed a server-side vulnerability — inadvertently caused substring() to return an "invalid byte sequence for encoding" error when the source of a text value is a database column containing multi-byte, non-ASCII characters. The problem only manifests when the value comes from a column rather than a string literal, making it easy to miss in testing but potentially impactful in any application serving international content.

The second regression affects standby servers. Under certain conditions, a standby may halt with a "could not access status of transaction" error, causing replication failures that require manual intervention to resolve. High-availability setups relying on streaming replication are directly affected.

What to Do Before February 26

Operators who upgraded to the February 12 release and are experiencing either issue can apply the relevant upstream commits manually using commit references published on the PostgreSQL project wiki. Each supported version has a separate commit to apply. If neither regression impacts your workload, the safest course is to wait for the scheduled release.

The next regular quarterly release after this fix is scheduled for May 14, 2026. Out-of-cycle releases are unusual for the PostgreSQL project, but its policy is to address critical regressions promptly rather than waiting for the next scheduled maintenance window.