FIND-20260328-003 · 2026-03-28 · Innovation Veille

CVE-2026-2005 — PostgreSQL pgcrypto heap buffer overflow (CVSS 8.8 HIGH)

cve HIGH
CVE-2026-2005 is a heap buffer overflow in the PostgreSQL pgcrypto extension (CVSS 8.8 HIGH) patched in PostgreSQL 17.8 and 18.2 (released February 12, 2026). A ciphertext provider with login access can execute arbitrary code as the OS user running PostgreSQL. Affects all supported PostgreSQL versions before 17.8. Also fixed in the same release: CVE-2026-2004 (intarray code execution, CVSS 8.8), CVE-2026-2006 (multibyte character validation bypass, CVSS 8.8), and CVE-2026-2003 (oidvector memory disclosure, CVSS 4.3).

Source

https://www.postgresql.org/support/security/CVE-2026-2005/

ODS Impact

ODS runs PostgreSQL 17 as the primary data store for all services (OID, DocStore, PDF Engine, Workflow Engine, etc.). The dev instance is at PostgreSQL 17.9 (already patched per last-versions.json). If any staging or production PostgreSQL container is still on 17.7 or earlier, it must be updated immediately. pgcrypto is commonly used for UUID generation and encryption — check if any ODS service uses the pgcrypto extension directly.

Security Review

License: PostgreSQL License | Maintenance: ACTIVE | Risk: LOW | Recommendation: SAFE_TO_USE

Tags

postgresql cve security pgcrypto heap-overflow critical
Generated by ODS Innovation Veille · 2026-03-28T07:04:59+00:00