CVE-2026-2003

Improper validation of type "oidvector" in PostgreSQL allows a database user to disclose a few bytes of server memory. We have not ruled out viability of attacks that arrange for presence of confidential information in disclosed bytes, but they seem unlikely. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.

CVSS v3 4.3 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://www.postgresql.org/support/security/CVE-2026-2003/	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:postgresql:postgresql::::::::
	cpe:2.3:a:postgresql:postgresql::::::::
	cpe:2.3:a:postgresql:postgresql::::::::
	cpe:2.3:a:postgresql:postgresql::::::::
	cpe:2.3:a:postgresql:postgresql::::::::

History

20 Feb 2026, 19:53

Type	Values Removed	Values Added
CPE		cpe:2.3:a:postgresql:postgresql::::::::
First Time		Postgresql Postgresql postgresql
References	~~() https://www.postgresql.org/support/security/CVE-2026-2003/ -~~	() https://www.postgresql.org/support/security/CVE-2026-2003/ - Vendor Advisory

12 Feb 2026, 14:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-12 14:16

Updated : 2026-02-20 19:53

NVD link : CVE-2026-2003

Mitre link : CVE-2026-2003

CVE.ORG link : CVE-2026-2003

JSON object : View

Products Affected

postgresql

postgresql

CWE

CWE-1287

Improper Validation of Specified Type of Input

{"id": "CVE-2026-2003", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.8}]}, "published": "2026-02-12T14:16:02.067", "references": [{"url": "https://www.postgresql.org/support/security/CVE-2026-2003/", "tags": ["Vendor Advisory"], "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", "description": [{"lang": "en", "value": "CWE-1287"}]}], "descriptions": [{"lang": "en", "value": "Improper validation of type \"oidvector\" in PostgreSQL allows a database user to disclose a few bytes of server memory. We have not ruled out viability of attacks that arrange for presence of confidential information in disclosed bytes, but they seem unlikely. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected."}], "lastModified": "2026-02-20T19:53:43.333", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4BCEAB7B-E4FC-4F9F-A1F9-62EA7DD6D6CC", "versionEndExcluding": "14.21", "versionStartIncluding": "14.0"}, {"criteria": "cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4B408DAF-2DCD-45FE-94EE-BC84947A41C8", "versionEndExcluding": "15.16", "versionStartIncluding": "15.0"}, {"criteria": "cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6353A59B-FE67-4DD5-B0E6-C10F0D2358D0", "versionEndExcluding": "16.12", "versionStartIncluding": "16.0"}, {"criteria": "cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E2CCF450-C726-403A-975F-B5717E92A769", "versionEndExcluding": "17.8", "versionStartIncluding": "17.0"}, {"criteria": "cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6B872502-5316-4E79-8FA1-24E5D8222C39", "versionEndExcluding": "18.2", "versionStartIncluding": "18.0"}], "operator": "OR"}]}], "sourceIdentifier": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007"}