USN-8072-1: PostgreSQL vulnerabilities
Ubuntu DesktopCanonical
USN-8072-1: PostgreSQL vulnerabilities
Publication date: 4 March 2026
Overview: Several security issues were fixed in PostgreSQL.
Packages
- postgresql-14 - Object-relational SQL database
- postgresql-16 - Object-relational SQL database
- postgresql-17 - Object-relational SQL database
Details
Altan Birler discovered that PostgreSQL incorrectly validated oidvector
types. An attacker could possibly use this issue to obtain a few bytes of
sensitive information. (CVE-2026-2003)
Daniel Firer discovered that PostgreSQL incorrectly validated input in the
intarray extension. An attacker could possibly use this issue to execute
arbitrary code. (CVE-2026-2004)
It was dicovered that PosgreSQL incorrectly handled certain pgcrypto memory
operations. An attacker could possibly use this issue to execute arbitrary
code. (CVE-2026-2005)
Paul Gerste and Moritz Sanft discovered that PostgreSQL incorrectly
validated multibyte character lengths. An attacker could possibly use this
issue to execute arbitrary code. (CVE-2026-2006)
Update instructions
The problem can be corrected by updating your system to the following package versions:
25.10 questing
- postgresql-17 – 17.9-0ubuntu0.25.10.1
- postgresql-client-17 – 17.9-0ubuntu0.25.10.1
24.04 LTS noble
- postgresql-16 – 16.13-0ubuntu0.24.04.1
- postgresql-client-16 – 16.13-0ubuntu0.24.04.1
22.04 LTS jammy
- postgresql-14 – 14.22-0ubuntu0.22.04.1
- postgresql-client-14 – 14.22-0ubuntu0.22.04.125.10 questingpostgresql-17 – 17.9-0ubuntu0.25.10.1
- postgresql-client-17 – 17.9-0ubuntu0.25.10.1
24.04 LTS noble
- postgresql-16 – 16.13-0ubuntu0.24.04.1
- postgresql-client-16 – 16.13-0ubuntu0.24.04.1
22.04 LTS jammy
- postgresql-14 – 14.22-0ubuntu0.22.04.1
- postgresql-client-14 – 14.22-0ubuntu0.22.04.1
