CVE-2026-2006

High

Published: 12 February 2026

Published

12 February 2026

Modified

20 February 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0004 11.7th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-2006 is a high-severity Improper Validation of Array Index (CWE-129) vulnerability in Postgresql Postgresql. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

preventrecover

Directly mitigates the buffer overrun vulnerability by requiring timely patching of PostgreSQL to fixed versions such as 18.2, 17.8, 16.12, 15.16, or 14.21.

SI-16 Memory Protection good match

prevent

Implements memory protection mechanisms like ASLR and DEP to prevent arbitrary code execution resulting from the multibyte character length validation buffer overrun.

AC-6 Least Privilege partial match

prevent

Enforces least privilege on the operating system user running PostgreSQL, limiting the scope and impact of arbitrary code execution achieved via the buffer overrun.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

Buffer overflow in PostgreSQL enables remote authenticated RCE (T1190) from low-priv DB account to OS-level code execution (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Missing validation of multibyte character length in PostgreSQL text manipulation allows a database user to issue crafted queries that achieve a buffer overrun. That suffices to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL…

18.2, 17.8, 16.12, 15.16, and 14.21 are affected.

Deeper analysisAI

CVE-2026-2006 is a vulnerability in PostgreSQL's text manipulation functions stemming from missing validation of multibyte character length, which enables a buffer overrun (CWE-129). It affects versions prior to PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21. The issue was published on 2026-02-12 and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A database user with low privileges (PR:L) can exploit this vulnerability remotely over the network (AV:N) with low attack complexity (AC:L) and without requiring user interaction (UI:N). By issuing crafted queries, the attacker triggers the buffer overrun, achieving arbitrary code execution with the privileges of the operating system user running the PostgreSQL database process.

The official PostgreSQL security advisory at https://www.postgresql.org/support/security/CVE-2026-2006/ details mitigation steps, which include upgrading to one of the fixed versions: 18.2, 17.8, 16.12, 15.16, or 14.21.