FIND-20260330-003 · 2026-03-30 · Innovation Veille

PostgreSQL CVEs from February 2026 release — pgcrypto heap overflow, intarray code exec, pg_trgm privilege escalation

cve HIGH
PostgreSQL 18.3, 17.9, 16.13, 15.17, and 14.22 were released on 2026-02-26 patching four critical CVEs: CVE-2026-2005 (pgcrypto heap buffer overflow → arbitrary code exec), CVE-2026-2004 (intarray selectivity estimator missing type validation → arbitrary code exec), CVE-2026-2003 (oidvector memory disclosure), CVE-2026-2007 (pg_trgm heap buffer overflow → privilege escalation). ODS runs PostgreSQL 17 — the patched version is 17.9. Current production is likely still on 17.7 or earlier if not upgraded after the February release.

Source

https://www.postgresql.org/support/security/

ODS Impact

Critical. All ODS services store data in PostgreSQL 17 (oid, docstore, pdf-engine, workflow-engine, billing-engine, etc.). CVE-2026-2005 and CVE-2026-2004 allow arbitrary code execution at OS level if an attacker has DB access. Immediately verify PostgreSQL version on srv-staging (ods-postgres container) and upgrade to 17.9. Check if pgcrypto, intarray, or pg_trgm extensions are enabled.

Security Review

License: PostgreSQL License | Maintenance: ACTIVE | Risk: LOW | Recommendation: SAFE_TO_USE

Tags

postgresql cve pgcrypto intarray pg_trgm database critical patch-required
Generated by ODS Innovation Veille · 2026-03-30T07:04:16+00:00