CVE-2026-2003

EUVD-2026-7039
Improper validation of type "oidvector" in PostgreSQL allows a database user to disclose a few bytes of server memory.  We have not ruled out viability of attacks that arrange for presence of confidential information in disclosed bytes, but they seem unlikely.  Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
4.3 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Affected Products (NVD)
VendorProductVersion
postgresqlpostgresql
14.0 ≤
𝑥
< 14.21
postgresqlpostgresql
15.0 ≤
𝑥
< 15.16
postgresqlpostgresql
16.0 ≤
𝑥
< 16.12
postgresqlpostgresql
17.0 ≤
𝑥
< 17.8
postgresqlpostgresql
18.0 ≤
𝑥
< 18.2
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
postgresql-13
bullseye
vulnerable
bullseye (security)
vulnerable
postgresql-15
bookworm
vulnerable
bookworm (security)
15.16-0+deb12u1
fixed
postgresql-17
trixie
17.9-0+deb13u1
fixed
trixie (security)
17.8-0+deb13u1
fixed
postgresql-18
forky
18.3-1
fixed
sid
18.3-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
postgresql-18
jammy
dne
noble
dne
questing
dne
postgresql-17
jammy
dne
noble
dne
questing
Fixed 17.9-0ubuntu0.25.10.1
released
postgresql-16
jammy
dne
noble
Fixed 16.13-0ubuntu0.24.04.1
released
questing
dne
postgresql-14
jammy
Fixed 14.22-0ubuntu0.22.04.1
released
noble
dne
questing
dne
postgresql-12
focal
needs-triage
jammy
dne
noble
dne
questing
dne
postgresql-10
bionic
needs-triage
jammy
dne
noble
dne
questing
dne
postgresql-9.5
jammy
dne
noble
dne
questing
dne
xenial
needs-triage
postgresql-9.3
jammy
dne
noble
dne
questing
dne
trusty
deferred
Common Weakness Enumeration
Vulnerability Media Exposure
References
https://www.postgresql.org/support/security/CVE-2026-2003/