{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-2005","assignerOrgId":"f86ef6dc-4d3a-42ad-8f28-e6d5547a5007","state":"PUBLISHED","assignerShortName":"PostgreSQL","dateReserved":"2026-02-05T18:17:55.613Z","datePublished":"2026-02-12T13:00:09.784Z","dateUpdated":"2026-02-26T14:44:21.494Z"},"containers":{"cna":{"providerMetadata":{"orgId":"f86ef6dc-4d3a-42ad-8f28-e6d5547a5007","shortName":"PostgreSQL","dateUpdated":"2026-02-12T13:00:09.784Z"},"title":"PostgreSQL pgcrypto heap buffer overflow executes arbitrary code","descriptions":[{"lang":"en","value":"Heap buffer overflow in PostgreSQL pgcrypto allows a ciphertext provider to execute arbitrary code as the operating system user running the database.  Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected."}],"affected":[{"defaultStatus":"unaffected","product":"PostgreSQL","vendor":"n/a","versions":[{"lessThan":"18.2","status":"affected","version":"18","versionType":"rpm"},{"lessThan":"17.8","status":"affected","version":"17","versionType":"rpm"},{"lessThan":"16.12","status":"affected","version":"16","versionType":"rpm"},{"lessThan":"15.16","status":"affected","version":"15","versionType":"rpm"},{"lessThan":"14.21","status":"affected","version":"0","versionType":"rpm"}]}],"problemTypes":[{"descriptions":[{"lang":"en","cweId":"CWE-122","type":"CWE","description":"Heap-based Buffer Overflow"}]}],"references":[{"url":"https://www.postgresql.org/support/security/CVE-2026-2005/"}],"metrics":[{"format":"CVSS","cvssV3_1":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH"}}],"configurations":[{"lang":"en","value":"attacker has permission to install pgcrypto or pass arbitrary ciphertext to an already-installed pgcrypto"}],"credits":[{"lang":"en","value":"The PostgreSQL project thanks Team Xint Code, as part of zeroday.cloud, for reporting this problem."}]},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"id":"CVE-2026-2005","role":"CISA Coordinator","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"version":"2.0.3","timestamp":"2026-02-13T04:56:32.671453Z"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-02-26T14:44:21.494Z"}}]}}