CVE-2026-2007 PUBLISHED

PostgreSQL pg_trgm heap buffer overflow writes pattern onto server memory

Assigner: PostgreSQL
Reserved: 05.02.2026 Published: 12.02.2026 Updated: 12.02.2026

Heap buffer overflow in PostgreSQL pg_trgm allows a database user to achieve unknown impacts via a crafted input string. The attacker has limited control over the byte patterns to be written, but we have not ruled out the viability of attacks that lead to privilege escalation. PostgreSQL 18.1 and 18.0 are affected.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
CVSS Score: 8.2

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	None
Privileges Required	None	Integrity Impact	Low
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	n/a
Product	PostgreSQL
Versions	Default: unaffected affected from 18 to 18.2 (excl.)

Affected Configurations

attacker has permission to install pg_trgm in a database with certain locales or pass text to an existing installation

Credits

The PostgreSQL project thanks Heikki Linnakangas for reporting this problem.

References

https://www.postgresql.org/support/security/CVE-2026-2007/

Problem Types

Heap-based Buffer Overflow CWE