CVE-2026-2004
Publication date 12 February 2026
Last updated 4 March 2026
Ubuntu priority
Description
Missing validation of type of input in PostgreSQL intarray extension selectivity estimator function allows an object creator to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| postgresql-18 | 25.10 questing | Not in release |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| postgresql-17 | 25.10 questing |
Fixed 17.9-0ubuntu0.25.10.1
|
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| postgresql-16 | 25.10 questing | Not in release |
| 24.04 LTS noble |
Fixed 16.13-0ubuntu0.24.04.1
|
|
| 22.04 LTS jammy | Not in release | |
| postgresql-14 | 25.10 questing | Not in release |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy |
Fixed 14.22-0ubuntu0.22.04.1
|
|
| postgresql-12 | 25.10 questing | Not in release |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| 20.04 LTS focal |
Needs evaluation
|
|
| postgresql-10 | 25.10 questing | Not in release |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| 18.04 LTS bionic |
Needs evaluation
|
|
| postgresql-9.5 | 25.10 questing | Not in release |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| 16.04 LTS xenial |
Needs evaluation
|
|
| postgresql-9.3 | 25.10 questing | Not in release |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| 14.04 LTS trusty |
Vulnerable, fix deferred
|
Notes
leosilva
PostgreSQL 9.3 is end of life upstream, and no updates are are available. Marking as deferred in -esm-main releases.
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
8.8 · High
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | Low |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
References
Related Ubuntu Security Notices (USN)
- USN-8072-1
- PostgreSQL vulnerabilities
- 4 March 2026