CVE-2026-2006 – PostgreSQL missing validation of multibyte character length executes arbitrary code

CVE ID : CVE-2026-2006

Published : Feb. 12, 2026, 1 p.m. | 1 hour, 26 minutes ago

Description : Missing validation of multibyte character length in PostgreSQL text manipulation allows a database user to issue crafted queries that achieve a buffer overrun. That suffices to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.

Severity: 8.8 | HIGH

Visit the link for more details, such as CVSS details, affected products, timeline, and more…