Patches have been released for all identified vulnerabilities, with maintainers of both PostgreSQL and MariaDB strongly advising users to upgrade to the latest fixed versions without delay.
More than one crack in PostgreSQL’s foundation
Among the vulnerabilities, a particularly concerning zero-day flaw in PostgreSQL has emerged, classified as a heap-based buffer overflow issue. This vulnerability, tracked as CVE-2026-2005, resides within the “pgcrypto” extension. Researchers have indicated that an attacker can exploit this flaw by providing specially crafted input, which triggers a size mismatch that results in out-of-bounds writes on the heap. This information was detailed in a recent blog post.
In scenarios where pgcrypto handles user-controlled input, this vulnerability can be manipulated to achieve remote code execution on the database server. The flaw affects all supported versions of PostgreSQL and has been addressed in updates including v18.2, v17.8, v16.12, v15.16, and v14.21. With a high-severity rating of CVSS 8.8 out of 10, the implications of this vulnerability are significant. Researchers noted that the vulnerable code has been part of pgcrypto since its initial contribution in 2005, marking over two decades of exposure.
