CVE-2026-2004

EUVD-2026-6183
Missing validation of type of input in PostgreSQL intarray extension selectivity estimator function allows an object creator to execute arbitrary code as the operating system user running the database.  Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.8 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
PostgreSQLCNA
8.8 HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 28%
Affected Products (NVD)
VendorProductVersion
postgresqlpostgresql
14.0 ≤
𝑥
< 14.21
postgresqlpostgresql
15.0 ≤
𝑥
< 15.16
postgresqlpostgresql
16.0 ≤
𝑥
< 16.12
postgresqlpostgresql
17.0 ≤
𝑥
< 17.8
postgresqlpostgresql
18.0 ≤
𝑥
< 18.2
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
postgresql-13
bullseye
vulnerable
bullseye (security)
vulnerable
postgresql-15
bookworm
vulnerable
bookworm (security)
15.16-0+deb12u1
fixed
postgresql-17
trixie
vulnerable
trixie (security)
17.8-0+deb13u1
fixed
postgresql-18
forky
18.2-1
fixed
sid
18.2-1
fixed
Common Weakness Enumeration
References
https://www.postgresql.org/support/security/CVE-2026-2004/