Missing validation of multibyte character length in...
High severity
Unreviewed
Published
Feb 12, 2026
to the GitHub Advisory Database
•
Updated Jun 30, 2026
Description
Published by the National Vulnerability Database
Feb 12, 2026
Published to the GitHub Advisory Database
Feb 12, 2026
Last updated
Jun 30, 2026
Missing validation of multibyte character length in PostgreSQL text manipulation allows a database user to issue crafted queries that achieve a buffer overrun. That suffices to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.
References