CVE-2026-2003

Advisory lineage Upstream: 0 Downstream: 52

Downstream

ALPINE-CVE-2026-2003 DEBIAN-CVE-2026-2003 DSA-6132-1 DSA-6133-1 MGASA-2026-0041 OPENSUSE-SU-2026:10190-1

Analyzed

Published: 12 Feb 2026, 13:00

Last modified:12 Feb 2026, 14:33

Vulnerability Summary

Overall Risk (default)

low

17/100

CVSS Score

4.3 MEDIUM

v3.1 (cve.org)

EPSS Score

0.02% LOW

0% probability 0.00%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

12 Feb 2026, 13:00

Published

Vulnerability first disclosed

12 Feb 2026, 14:33

Last Modified

Vulnerability information updated

Description

Improper validation of type "oidvector" in PostgreSQL allows a database user to disclose a few bytes of server memory. We have not ruled out viability of attacks that arrange for presence of confidential information in disclosed bytes, but they seem unlikely. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.

CVSS Metrics

v3.1•MEDIUM•Score: 4.3CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

EPSS Trends

Current EPSS score: 0.02%• Percentile: 7%

Techniques & Countermeasures

CWE-1287•Improper Validation of Specified Type of Input
The product receives input that is expected to be of a certain type, but it does not validate or incorrectly validates that the input is actually of the expected type.

Affected Systems

postgresql•postgresql
≥ 14.0, < 14.21 | ≥ 15.0, < 15.16 | ≥ 16.0, < 16.12 | ≥ 17.0, < 17.8 | ≥ 18.0, < 18.2

References (1)

https://www.postgresql.org/support/security/CVE-2026-2003/