| Package | postgresql-9.6 |
|---|---|
| Version | 9.6.24-0+deb9u11 (stretch) |
| Related CVEs | CVE-2026-2003 CVE-2026-2004 CVE-2026-2005 CVE-2026-2006 |
Multiple vulnerabilities were fixed in PostgreSQL, a popular database.
- CVE-2026-2003
-
Improper validation of type “oidvector” in PostgreSQL allows a database user to disclose a few bytes of server memory. We have not ruled out viability of attacks that arrange for presence of confidential information in disclosed bytes, but they seem unlikely.
- CVE-2026-2004
-
Missing validation of type of input in PostgreSQL intarray extension selectivity estimator function allows an object creator to execute arbitrary code as the operating system user running the database.
- CVE-2026-2005
-
Heap buffer overflow in PostgreSQL pgcrypto allows a ciphertext provider to execute arbitrary code as the operating system user running the database.
- CVE-2026-2006
-
Missing validation of multibyte character length in PostgreSQL text manipulation allows a database user to issue crafted queries that achieve a buffer overrun. That suffices to execute arbitrary code as the operating system user running the database.
For Debian 9 stretch, these problems have been fixed in version 9.6.24-0+deb9u11.
We recommend that you upgrade your postgresql-9.6 packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.