| Package | postgresql-11 |
|---|---|
| Version | 11.22-0+deb10u7 (buster) |
| Related CVEs | CVE-2026-2003 CVE-2026-2004 CVE-2026-2005 CVE-2026-2006 |
Multiple vulnerabilities were fixed in PostgreSQL, a popular database.
- CVE-2026-2003
-
Improper validation of type “oidvector” in PostgreSQL allows a database user to disclose a few bytes of server memory. We have not ruled out viability of attacks that arrange for presence of confidential information in disclosed bytes, but they seem unlikely.
- CVE-2026-2004
-
Missing validation of type of input in PostgreSQL intarray extension selectivity estimator function allows an object creator to execute arbitrary code as the operating system user running the database.
- CVE-2026-2005
-
Heap buffer overflow in PostgreSQL pgcrypto allows a ciphertext provider to execute arbitrary code as the operating system user running the database.
- CVE-2026-2006
-
Missing validation of multibyte character length in PostgreSQL text manipulation allows a database user to issue crafted queries that achieve a buffer overrun. That suffices to execute arbitrary code as the operating system user running the database.
For Debian 10 buster, these problems have been fixed in version 11.22-0+deb10u7.
We recommend that you upgrade your postgresql-11 packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.