CVE-2026-2007

High

Published: 12 February 2026

Published

12 February 2026

Modified

20 February 2026

KEV Added

—

Patch

—

CVSS Score 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

EPSS Score 0.0002 5.9th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-2007 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Postgresql Postgresql. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the heap buffer overflow by requiring timely remediation through vendor patches for the affected PostgreSQL pg_trgm extension.

SI-16 Memory Protection good match

prevent

Implements memory protections such as address space layout randomization and non-executable heap memory to prevent exploitation of the heap buffer overflow.

SI-10 Information Input Validation partial match

prevent

Requires validation of input strings to pg_trgm functions to reject or sanitize crafted inputs that trigger the buffer overflow.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

Heap buffer overflow in exposed PostgreSQL extension directly enables remote exploitation of a public-facing database application (T1190) and potential privilege escalation via memory corruption (T1068).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

Heap buffer overflow in PostgreSQL pg_trgm allows a database user to achieve unknown impacts via a crafted input string. The attacker has limited control over the byte patterns to be written, but we have not ruled out the viability of…

attacks that lead to privilege escalation. PostgreSQL 18.1 and 18.0 are affected.

Deeper analysisAI

CVE-2026-2007 is a heap buffer overflow vulnerability (CWE-122) in the pg_trgm extension of PostgreSQL. It affects versions 18.1 and 18.0. The flaw enables a database user to trigger unknown impacts by supplying a crafted input string, with the attacker having limited control over the byte patterns written into the heap overflow.

A database user can exploit this vulnerability remotely over the network with low attack complexity, no user interaction, and no privileges required (CVSS:3.1 score of 8.2; AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H). Successful exploitation may result in high availability impact and low integrity impact, and while exact outcomes remain unknown, privilege escalation has not been ruled out due to the nature of the overflow.

The official PostgreSQL security advisory at https://www.postgresql.org/support/security/CVE-2026-2007/ details available patches and mitigation guidance for addressing this issue.