FIND-20260329-009 · 2026-03-29 · Innovation Veille

PostgreSQL CVE-2026-2005: pgcrypto heap buffer overflow — arbitrary code execution

cve HIGH
A heap buffer overflow in the pgcrypto extension allows a ciphertext provider to execute arbitrary code as the OS user running PostgreSQL. Fixed in PostgreSQL 18.3, 17.9, 16.13, 15.17, 14.22 released 2026-02-26. ODS runs PostgreSQL 17 — upgrade to 17.9 required. Also co-released with CVE-2026-2004 (intarray arbitrary code execution) and CVE-2026-2006 (multibyte character length arbitrary code execution).

Source

https://www.postgresql.org/support/security/CVE-2026-2005/

ODS Impact

ODS runs PostgreSQL 17 (ods-postgres container). The pgcrypto extension may be used by securemail or billing-engine for encryption. Heap buffer overflow means an attacker who can submit crafted ciphertext could achieve RCE as the postgres OS user. Immediate upgrade from 17.x to 17.9 required across all ODS services.

Security Review

License: PostgreSQL License (permissive) | Maintenance: ACTIVE | Risk: LOW | Recommendation: DO_NOT_USE

Tags

postgresql cve security rce pgcrypto critical
Generated by ODS Innovation Veille · 2026-03-29T03:18:01+00:00