FIND-20260404-012 · 2026-04-04 · Innovation Veille

CVE-2026-2005: PostgreSQL pgcrypto Heap Buffer Overflow — ODS Requires Upgrade to PostgreSQL 17.9

cve HIGH
CVE-2026-2005 is a HIGH severity (CVSS 8.8) heap buffer overflow in PostgreSQL's pgcrypto contrib module. During ciphertext processing, pgcrypto fails to validate memory boundaries during decryption, allowing overwrite past the allocated buffer. An attacker with database access feeding specially crafted ciphertext can achieve arbitrary code execution as the OS user running PostgreSQL. Affected: all PostgreSQL versions before 17.8. Fixed in 17.8 (released February 12, 2026) and 17.9 (out-of-cycle, released February 26, 2026 to fix regressions in 17.8). ODS currently runs PostgreSQL 17.9 per last-versions.json — verify pgcrypto usage across all services.

Source

https://www.postgresql.org/support/security/CVE-2026-2005/

ODS Impact

ODS uses PostgreSQL 17 (ods-postgres container). The pgcrypto module is in scope for services using encryption at the DB layer. If any ODS service (e.g., OID for password storage, SecureMail for message encryption, billing-engine for payment data) uses pgcrypto for encryption/decryption, verify they are on 17.9. Run: SELECT version(); and audit all schemas for pgcrypto usage: SELECT * FROM pg_extension WHERE extname='pgcrypto';

Security Review

License: PostgreSQL | Maintenance: ACTIVE | Risk: LOW | Recommendation: USE_WITH_CAUTION

Tags

postgresql cve pgcrypto heap-overflow database rce high
Generated by ODS Innovation Veille · 2026-04-04T17:32:47+00:00