FIND-20260410-005 · 2026-04-10 · Innovation Veille

CVE-2026-2005 — PostgreSQL pgcrypto RCE via heap buffer overflow (CVSS 8.8, HIGH)

cve HIGH
CVE-2026-2005 is a high-severity heap buffer overflow in the PostgreSQL pgcrypto extension. A ciphertext provider can execute arbitrary code with the privileges of the OS user running the database. CVSS: 8.8. Affected: PostgreSQL 14.x-18.x before 14.21/15.16/16.12/17.8/18.2. Fixed: February 12, 2026. This vulnerability is especially relevant if ODS uses pgcrypto for encryption at rest or secure mail features.

Source

https://www.postgresql.org/support/security/CVE-2026-2005/

ODS Impact

If ODS uses the pgcrypto extension (likely in oid for password hashing, or securemail for message encryption), this vulnerability allows a malicious ciphertext provider to achieve RCE. The fix requires upgrading to PostgreSQL 17.8. Both CVE-2026-2005 and CVE-2026-2006 are fixed in the same patch release (17.8), so a single upgrade resolves both.

Security Review

License: PostgreSQL License | Maintenance: ACTIVE | Risk: LOW | Recommendation: USE_WITH_CAUTION

Tags

postgresql cve rce pgcrypto security high-severity buffer-overflow
Generated by ODS Innovation Veille · 2026-04-10T00:57:37+00:00