High

PostgreSQL multibyte character length validation RCE

IdentifiersCVE-2026-2006CWE-129· Improper Validation of Array Index

CVE-2026-2006 is an arbitrary code execution vulnerability in PostgreSQL caused by missing validation of multibyte character length during text manipulation. The flaw allows malformed multibyte input, including malformed UTF-8 as described in supporting reporting, to reach PostgreSQL string-handling routines such as pg_mblen and pg_utf_mblen without proper checks. A database user can issue crafted queries that trigger a buffer overrun, resulting in out-of-bounds memory access and memory corruption. Successful exploitation can lead to execution of arbitrary code as the operating system user running the PostgreSQL server process. Affected versions are PostgreSQL before 18.2, 17.8, 16.12, 15.16, and 14.21.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can corrupt server memory and achieve arbitrary code execution in the PostgreSQL server context. Because code runs as the operating system account that owns the database process, impact includes full compromise of the database instance, theft or modification of database contents, service disruption, and potential host-level post-exploitation actions available to that OS user. The CVSS vector provided in the supporting content indicates network attackability, low attack complexity, low privileges required, no user interaction, and high impact to confidentiality, integrity, and availability.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure by limiting access for untrusted or low-privilege database users, restricting who can submit crafted or complex text-processing queries, and minimizing network exposure of PostgreSQL instances. Apply least privilege to the PostgreSQL service account so that compromise of the database process yields fewer host-level capabilities. Supporting reporting also recommends restricting extension creation and reviewing logs for suspicious pgp-related activity, although the primary mitigation is upgrading.

Remediation

Patch, then assume compromise.

Upgrade PostgreSQL to a fixed release for the deployed major branch: 18.2, 17.8, 16.12, 15.16, or 14.21, or later. Debian-specific fixed package versions referenced in the supporting content include postgresql-15 15.16-0+deb12u1 for bookworm and postgresql-17 17.8-0+deb13u1 for trixie. Apply the vendor security update across all supported PostgreSQL installations running affected versions.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

F5Big-Ip Next For Kubernetesapplication

PostgresqlPostgresqlapplication

PostgreSQL Global Development GroupPostgresqlapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

28 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

28 SOURCESView more in app

hackreadNews

May 4, 2026

Wiz ZeroDay.Cloud Event Reveals 20-Year-Old PostgreSQL Vulnerabilities

A critical memory corruption vulnerability in PostgreSQL's pgcrypto extension affecting symmetric decryption, where malformed UTF-8 can trigger out-of-bounds reads or writes and potentially lead to execution control and system-call triggering.

ahnlab asec blogNews

Feb 12, 2026

PostgreSQL Security Update Advisory - ASEC

An arbitrary code execution vulnerability in PostgreSQL caused by missing validation of multibyte character lengths.

cvefeed high severityNews

Feb 12, 2026

CVE-2026-2006 - PostgreSQL missing validation of multibyte character length executes arbitrary code

A PostgreSQL vulnerability where improper validation of multibyte character length in text manipulation can be exploited by an authenticated database user (low privileges) via crafted queries to trigger a buffer overrun, leading to arbitrary code execution as the OS user running the database.

postgresqlNews

Feb 12, 2026

PostgreSQL: PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 Released!

A buffer overrun/arbitrary code execution vulnerability in PostgreSQL text manipulation caused by missing validation of multibyte character length.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity14

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-2006

NVD

nvd.nist.gov/vuln/detail/CVE-2026-2006

MITRE CWE · CWE-129

Improper Validation of Array Index

Vendor Advisory

postgresql.org/support/security/CVE-2026-2006