Home / mailingsPDF  

[USN-8072-1] PostgreSQL vulnerabilities

Posted on 04 March 2026
Ubuntu Security

==========================================================================Ubuntu Security Notice USN-8072-1
March 04, 2026

postgresql-14, postgresql-16, postgresql-17 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 25.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS

Summary:

Several security issues were fixed in PostgreSQL.

Software Description:
- postgresql-17: Object-relational SQL database
- postgresql-16: Object-relational SQL database
- postgresql-14: Object-relational SQL database

Details:

Altan Birler discovered that PostgreSQL incorrectly validated oidvector
types. An attacker could possibly use this issue to obtain a few bytes of
sensitive information. (CVE-2026-2003)

Daniel Firer discovered that PostgreSQL incorrectly validated input in the
intarray extension. An attacker could possibly use this issue to execute
arbitrary code. (CVE-2026-2004)

It was dicovered that PosgreSQL incorrectly handled certain pgcrypto memory
operations. An attacker could possibly use this issue to execute arbitrary
code. (CVE-2026-2005)

Paul Gerste and Moritz Sanft discovered that PostgreSQL incorrectly
validated multibyte character lengths. An attacker could possibly use this
issue to execute arbitrary code. (CVE-2026-2006)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 25.10
postgresql-17 17.9-0ubuntu0.25.10.1
postgresql-client-17 17.9-0ubuntu0.25.10.1

Ubuntu 24.04 LTS
postgresql-16 16.13-0ubuntu0.24.04.1
postgresql-client-16 16.13-0ubuntu0.24.04.1

Ubuntu 22.04 LTS
postgresql-14 14.22-0ubuntu0.22.04.1
postgresql-client-14 14.22-0ubuntu0.22.04.1

This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart PostgreSQL to
make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-8072-1
CVE-2026-2003, CVE-2026-2004, CVE-2026-2005, CVE-2026-2006

Package Information:
https://launchpad.net/ubuntu/+source/postgresql-17/17.9-0ubuntu0.25.10.1
https://launchpad.net/ubuntu/+source/postgresql-16/16.13-0ubuntu0.24.04.1
https://launchpad.net/ubuntu/+source/postgresql-14/14.22-0ubuntu0.22.04.1

--===============6177362840867781141==Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature

 

TOP

Mailings :

Exploits :