CVE-2026-2007

EUVD-2026-7042
Heap buffer overflow in PostgreSQL pg_trgm allows a database user to achieve unknown impacts via a crafted input string.  The attacker has limited control over the byte patterns to be written, but we have not ruled out the viability of attacks that lead to privilege escalation.  PostgreSQL 18.1 and 18.0 are affected.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.2 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
PostgreSQLCNA
8.2 HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 16%
Affected Products (NVD)
VendorProductVersion
postgresqlpostgresql
18.0 ≤
𝑥
< 18.2
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
postgresql-13
bullseye
13.16-0+deb11u1
fixed
bullseye (security)
13.23-0+deb11u1
fixed
postgresql-15
bookworm
15.15-0+deb12u1
fixed
bookworm (security)
15.16-0+deb12u1
fixed
postgresql-17
trixie
17.7-0+deb13u1
fixed
trixie (security)
17.8-0+deb13u1
fixed
postgresql-18
forky
18.2-1
fixed
sid
18.2-1
fixed
Common Weakness Enumeration
References
https://www.postgresql.org/support/security/CVE-2026-2007/