FIND-20260401-009 · 2026-04-01 · Innovation Veille

PostgreSQL CVE-2026-2005 (pgcrypto heap overflow) — CONFIRMED PATCHED in 17.8+

cve HIGH
CVE-2026-2005 (CVSS 8.8, HIGH): PostgreSQL pgcrypto heap buffer overflow allows a ciphertext provider to execute arbitrary code as the OS user running the database. CONFIRMED PATCHED: Fixed in PostgreSQL 17.8 (released 2026-02-12 alongside 18.2, 16.12, 15.16, 14.21). The same release also fixed CVE-2026-2004 (intarray, CVSS 8.8), CVE-2026-2006 (multibyte char buffer overrun, CVSS 8.8), CVE-2026-2007 (pg_trgm heap overflow, CVSS 8.2), and CVE-2026-2003 (oidvector disclosure, CVSS 4.3). ODS tracks 17.9 in last-versions.json — ODS is PROTECTED if running 17.9.

Source

https://www.postgresql.org/support/security/CVE-2026-2005/

ODS Impact

ODS runs PostgreSQL 17 (ods-postgres container). The tracked version is 17.9 which is ABOVE 17.8 (the patch version). All 5 CVEs from the February 2026 batch are fixed. ACTION: Verify the actual running container image tag matches 17.9: `docker exec ods-postgres psql -U ods -c SELECT version();`. If below 17.8, upgrade immediately.

Security Review

License: PostgreSQL License | Maintenance: ACTIVE | Risk: LOW | Recommendation: SAFE_TO_USE

Tags

postgresql cve pgcrypto heap-overflow high security patched
Generated by ODS Innovation Veille · 2026-04-01T01:56:09+00:00