2439324 – (CVE-2026-2006) CVE-2026-2006 postgresql: PostgreSQL missing validation of multibyte character length executes arbitrary code

Bug 2439324 (CVE-2026-2006) - CVE-2026-2006 postgresql: PostgreSQL missing validation of multibyte character length executes arbitrary code

Summary: CVE-2026-2006 postgresql: PostgreSQL missing validation of multibyte characte...

Keywords:
Status:	NEW
Alias:	CVE-2026-2006
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2439451 2439452 2439453 2439454 2439455 2439456 2439457
Blocks:
TreeView+	depends on / blocked

Reported:	2026-02-12 14:01 UTC by OSIDB Bzimport
Modified:	2026-02-12 18:51 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-02-12 14:01:50 UTC

Missing validation of multibyte character length in PostgreSQL text manipulation allows a database user to issue crafted queries that achieve a buffer overrun.  That suffices to execute arbitrary code as the operating system user running the database.  Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.

Note You need to log in before you can comment on or make changes to this bug.