DEBIAN-CVE-2026-2004

Advisory lineage Upstream: 1 Downstream: 2

Upstream

CVE-2026-2004

Downstream

DSA-6132-1 DSA-6133-1

Published: 12 Feb 2026, 14:16

Last modified:28 Apr 2026, 20:31

Vulnerability Summary

Overall Risk (default)

medium

35/100

CVSS Score

8.8 HIGH

3.1 (osv_debian)

EPSS Score

No data

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

12 Feb 2026, 14:16

Published

Vulnerability first disclosed

28 Apr 2026, 20:31

Last Modified

Vulnerability information updated

Description

Missing validation of type of input in PostgreSQL intarray extension selectivity estimator function allows an object creator to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.

CVSS Metrics

v3.1•HIGH•Score: 8.8CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Systems

debian•postgresql-13
all | < 13.23-0+deb11u2
debian•postgresql-15
all | < 15.16-0+deb12u1
debian•postgresql-17
all | < 17.8-0+deb13u1
debian•postgresql-18
all | < 18.2-1

References (1)

https://security-tracker.debian.org/tracker/CVE-2026-2004