Multiple vulnerabilities in PostgreSQL include an oidvector validation flaw (CVE-2026-2003, CVSS 4.3) leading to information disclosure, and three high-severity flaws (CVE-2026-2004, CVE-2026-2005, CVE-2026-2006, CVSS 8.8) in the intarray extension, pgcrypto, and multibyte character handling that could allow arbitrary code execution. These affect PostgreSQL versions 14.0 to 14.20, 15.0 to 15.15, 16.0 to 16.11, 17.0 to 17.7, and 18.0 to 18.1. Patches are available in versions 14.21, 15.16, 16.12, 17.8, and 18.2 respectively.
Altan Birler discovered that PostgreSQL incorrectly validated oidvector types. An attacker could possibly use this issue to obtain a few bytes of sensitive information. (CVE-2026-2003) Daniel Firer discovered that PostgreSQL incorrectly validated input in the intarray extension. An attacker could possibly use this issue to execute arbitrary code. (CVE-2026-2004) It was dicovered that PosgreSQL incorrectly handled certain pgcrypto memory operations. An attacker could possibly use this issue to execute arbitrary code. (CVE-2026-2005) Paul Gerste and Moritz Sanft discovered that PostgreSQL incorrectly validated multibyte character lengths. An attacker could possibly use this issue to execute arbitrary code. (CVE-2026-2006)