Cyber Resilience

CVE-2026-2006

HighUpdated

Published: 12 February 2026

Published
12 February 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0066 46.9th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-2006 is a high-severity Improper Validation of Array Index (CWE-129) vulnerability in Postgresql Postgresql. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 46.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-2006 is a vulnerability in PostgreSQL's text manipulation functions stemming from missing validation of multibyte character length, which enables a buffer overrun (CWE-129). It affects versions prior to PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21. The issue was published on 2026-02-12 and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A database user with low privileges (PR:L) can exploit this vulnerability remotely over the network (AV:N) with low attack complexity (AC:L) and without requiring user interaction (UI:N). By issuing crafted queries, the attacker triggers the buffer overrun, achieving arbitrary code execution with the privileges of the operating system user running the PostgreSQL database process.

The official PostgreSQL security advisory at https://www.postgresql.org/support/security/CVE-2026-2006/ details mitigation steps, which include upgrading to one of the fixed versions: 18.2, 17.8, 16.12, 15.16, or 14.21.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Missing validation of multibyte character length in PostgreSQL text manipulation allows a database user to issue crafted queries that achieve a buffer overrun. That suffices to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL…

more

18.2, 17.8, 16.12, 15.16, and 14.21 are affected.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Buffer overflow in PostgreSQL enables remote authenticated RCE (T1190) from low-priv DB account to OS-level code execution (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-2004Same product: Postgresql Postgresql
CVE-2026-2007Same product: Postgresql Postgresql
CVE-2026-6473Same product: Postgresql Postgresql
CVE-2026-6637Same product: Postgresql Postgresql
CVE-2026-6476Same product: Postgresql Postgresql
CVE-2026-2005Same product: Postgresql Postgresql
CVE-2026-6475Same product: Postgresql Postgresql
CVE-2026-6479Same product: Postgresql Postgresql
CVE-2026-6477Same product: Postgresql Postgresql
CVE-2023-52987Shared CWE-129

Affected Assets

postgresql
postgresql
14.0 — 14.21 · 15.0 — 15.16 · 16.0 — 16.12

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

preventrecover

Directly mitigates the buffer overrun vulnerability by requiring timely patching of PostgreSQL to fixed versions such as 18.2, 17.8, 16.12, 15.16, or 14.21.

prevent

Implements memory protection mechanisms like ASLR and DEP to prevent arbitrary code execution resulting from the multibyte character length validation buffer overrun.

prevent

Enforces least privilege on the operating system user running PostgreSQL, limiting the scope and impact of arbitrary code execution achieved via the buffer overrun.

References