CVE-2026-2005 PUBLISHED

PostgreSQL pgcrypto heap buffer overflow executes arbitrary code

Assigner: PostgreSQL
Reserved: 05.02.2026 Published: 12.02.2026 Updated: 12.02.2026

Heap buffer overflow in PostgreSQL pgcrypto allows a ciphertext provider to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS Score: 8.8

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	Low	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	n/a
Product	PostgreSQL
Versions	Default: unaffected affected from 18 to 18.2 (excl.) affected from 17 to 17.8 (excl.) affected from 16 to 16.12 (excl.) affected from 15 to 15.16 (excl.) affected from 0 to 14.21 (excl.)

Affected Configurations

attacker has permission to install pgcrypto or pass arbitrary ciphertext to an already-installed pgcrypto

Credits

The PostgreSQL project thanks Team Xint Code, as part of zeroday.cloud, for reporting this problem.

References

https://www.postgresql.org/support/security/CVE-2026-2005/

Problem Types

Heap-based Buffer Overflow CWE