PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 Released!

The PostgreSQL Global Development Group has released an update to all
supported versions of PostgreSQL, including 18.1, 17.7, 16.11, 15.15, 14.20, and
13.23. This release fixes 2 security vulnerabilities and over 50 bugs reported
over the last several months.

For the full list of changes, please review the [release
notes](https://www.postgresql.org/docs/release/).

PostgreSQL 13 EOL Notice
------------------------

**This is the final release of PostgreSQL 13**. PostgreSQL 13 is now end-of-life
and will no longer receive security and bug fixes. If you are
running PostgreSQL 13 in a production environment, we suggest that you make
plans to upgrade to a newer, supported version of PostgreSQL. Please see our
[versioning policy](https://www.postgresql.org/support/versioning/) for more
information.

Security Issues
---------------

### [CVE-2025-12817](https://www.postgresql.org/support/security/CVE-2025-12817/): PostgreSQL `CREATE STATISTICS` does not check for schema `CREATE` privilege

CVSS v3.1 Base Score: [3.1](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?version=3.1&vector=AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L)

Supported, Vulnerable Versions: 13 - 18.

Missing authorization in PostgreSQL [`CREATE STATISTICS`](https://www.postgresql.org/docs/current/sql-createstatistics.html)
command allows a table owner to achieve denial of service against other
`CREATE STATISTICS` users by creating in any schema. A later `CREATE STATISTICS`
for the same name, from a user having the `CREATE` privilege, would then fail.
Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are
affected.

The PostgreSQL project thanks Jelte Fennema-Nio for reporting this problem.

### [CVE-2025-12818](https://www.postgresql.org/support/security/CVE-2025-12818/): PostgreSQL libpq undersizes allocations, via integer wraparound

CVSS v3.1 Base Score: [5.9](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?version=3.1&vector=AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)

Supported, Vulnerable Versions: 13 - 18.

Integer wraparound in multiple PostgreSQL [libpq](https://www.postgresql.org/docs/current/libpq.html)
client library functions allows an application input provider or network peer to
cause libpq to undersize an allocation and write out-of-bounds by hundreds of
megabytes. This results in a segmentation fault for the application using
libpq. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are
affected.

The PostgreSQL project thanks Aleksey Solovev (Positive Technologies) for
reporting this problem.

Bug Fixes and Improvements
--------------------------

This update fixes over 50 bugs that were reported in the last several
months. The issues listed below affect PostgreSQL 18. Some of these issues may
also affect other supported versions of PostgreSQL.

* Avoid returning duplicate rows from hash right semi-joins.
* Avoid possible out-of-memory failures during parallel GIN index build.
* Several fixes for BRIN indexes.
* Fixes for crashes related to partitioned tables, including one occurring during a recheck.
* Avoid duplicating hash partition constraints during `DETACH CONCURRENTLY`, which previously caused issues during dump/restore or if a parent table is dropped after the `DETACH`.
* Disallow [generated columns](https://www.postgresql.org/docs/current/ddl-generated-columns.html) in partition keys and in [`COPY ... FROM ... WHERE`](https://www.postgresql.org/docs/current/sql-copy.html) clauses.
* Fix incorrect reporting of replication lag in [`pg_stat_replication`](https://www.postgresql.org/docs/current/monitoring-stats.html#MONITORING-PG-STAT-REPLICATION-VIEW) view.
* Avoid failures when [`synchronized_standby_slots`](https://www.postgresql.org/docs/current/runtime-config-replication.html#GUC-SYNCHRONIZED-STANDBY-SLOTS) references nonexistent replication slots.
* Avoid unwanted WAL receiver shutdown when switching from streaming to archive WAL source.
* Avoid unnecessary invalidation of logical replication slots.
* Correctly handle `GROUP BY DISTINCT` in [PL/pgSQL](https://www.postgresql.org/docs/current/plpgsql.html) assignment statements.
* Avoid leaking memory when handling a SQL error within [PL/Python](https://www.postgresql.org/docs/current/plpython.html).
* Fix how libpq handles socket-related errors on Windows within its [GSSAPI](https://www.postgresql.org/docs/current/gssapi-auth.html) logic.
* Fix dumping of non-inherited `NOT NULL` constraints on inherited table columns.
* Ensure consistent ordering of foreign key constraints in the output of [`pg_dump`](https://www.postgresql.org/docs/current/app-pgdump.html).
* Several fixes for [`pgbench`](https://www.postgresql.org/docs/current/pgbench.html) error handling and reporting.
* Fix memory leak in [`pg_combinebackup`](https://www.postgresql.org/docs/current/app-pgcombinebackup.html).
* Allow nonsuperusers with `SELECT` privileges on a table to use [`pg_prewarm`](https://www.postgresql.org/docs/current/pgprewarm.html) to prewarm indexes on that table.

Updating
--------

All PostgreSQL update releases are cumulative. As with other minor releases,
users are not required to dump and reload their database or use `pg_upgrade`
in order to apply this update release; you may simply shutdown PostgreSQL and
update its binaries.

Users who have skipped one or more update releases may need to run additional
post-update steps; please see the release notes from earlier versions for
details.

For more details, please see the [release
notes](https://www.postgresql.org/docs/release/).

Links
-----

* [Download](https://www.postgresql.org/download/)
* [Release Notes](https://www.postgresql.org/docs/release/)
* [Security](https://www.postgresql.org/support/security/)
* [Versioning Policy](https://www.postgresql.org/support/versioning/)
* [Submit a Bug](https://www.postgresql.org/account/submitbug/)
* [Donate](https://www.postgresql.org/about/donate/)

If you have corrections or suggestions for this release announcement, please
send them to the _pgsql-www(at)lists(dot)postgresql(dot)org_ public [mailing
list](https://www.postgresql.org/list/).