PoC Released for 20-Year Old PostgreSQL RCE Flaw

A public proof-of-concept exploit has emerged for CVE-2026-2005, a critical heap-based buffer overflow vulnerability within PostgreSQL’s pgcrypto extension. This flaw allows for full remote code execution and privilege escalation to the database superuser level, posing significant risks to affected systems.

The vulnerability has been present since the initial contribution of pgcrypto to PostgreSQL in 2005, remaining undetected for over two decades. It was brought to light by a fully autonomous AI-powered security analysis tool during the Wiz-hosted ZeroDay.Cloud 2025 hacking event held in London on December 10–11, 2025. An upstream patch addressing this issue was committed on February 8, 2026, and subsequently released across all supported PostgreSQL major versions on February 12, 2026.

PoC Released for 20-Year-Old PostgreSQL Flaw

This vulnerability has been assigned a CVSS score of 8.8 (High), a rating underscored by an exposure analysis revealing that approximately 80% of cloud environments utilize PostgreSQL, with 45% of these instances directly accessible via the internet.

The flaw is located in the pgp_parse_pubenc_sesskey() function within contrib/pgcrypto/pgp-pubdec.c. When processing a PGP public-key-encrypted session key packet, the function calculates the session key length as msglen - 3 and copies that many bytes into ctx->sess_key, a buffer limited to PGP_MAX_KEY (32 bytes), without any bounds checking. This oversight allows an attacker to manipulate the session key length to exceed the buffer limit significantly.

The pgcrypto extension is classified as a trusted extension, meaning any database role with CREATE privileges can install it without needing superuser access, which lowers the barrier for exploitation considerably.

The proof-of-concept, published on GitHub by researcher var77, employs a sequence of three exploit primitives:

1. Information Leak — A specially crafted PGP message partially overwrites dst->data with two null bytes, redirecting it to a lower heap address. Upon the return of decrypt_internal, mbuf_steal_data(dst) exposes a window of heap memory that reveals both the PIE base and a heap reference in a single operation.
2. Arbitrary Write — A second connection, which inherits an identical ASLR layout through PostgreSQL’s fork() model, triggers the overflow once more. This time, it forges all four dst fields (data, data_end, read_pos, buf_end), enabling arbitrary writes to any known address.
3. Privilege Escalation to RCE — The exploit targets CurrentUserId, a global variable in PostgreSQL’s .data section, overwriting it to 10 (BOOTSTRAP_SUPERUSERID). With superuser privileges, the command COPY (SELECT ...) TO PROGRAM can execute arbitrary OS commands as the PostgreSQL system user.

A critical aspect that enhances the reliability of this exploit is PostgreSQL’s architecture, which forks a new backend for each connection, inheriting the parent’s address space. This design means that the ASLR layout remains consistent across all connections to the same postmaster, allowing any leaked address from one connection to be valid on subsequent connections.

Affected Versions & Patches

The vulnerability impacts every supported major version of PostgreSQL prior to the February 2026 releases. The patched versions include: 18.2, 17.8, 16.12, 15.16, and 14.21. It is noteworthy that this vulnerability was disclosed alongside another significant flaw, CVE-2026-2006 (CVSS 9.0), which was also identified during the ZeroDay.Cloud 2025 event and patched in the same update cycle.

Mitigation

• Upgrade immediately to PostgreSQL versions 18.2, 17.8, 16.12, 15.16, or 14.21.
• Restrict CREATE privileges on databases to prevent untrusted roles from loading pgcrypto.
• Block direct internet exposure of PostgreSQL port 5432, limiting access to trusted application subnets only.
• Rotate database credentials across applications, CI/CD pipelines, and secrets stores.
• Audit the usage of COPY FROM PROGRAM and enforce restrictions via role-level controls.
• For cloud-managed PostgreSQL users, verify that their provider has deployed the patched engine versions.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.