PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 Released!

The PostgreSQL Global Development Group has released an update to all
supported versions of PostgreSQL, including 18.2, 17.8, 16.12, 15.16, and 14.21.
This release fixes 5 security vulnerabilities and over 65 bugs reported
over the last several months.

For the full list of changes, please review the [release
notes](https://www.postgresql.org/docs/release/).

Security Issues
---------------

### [CVE-2026-2003](https://www.postgresql.org/support/security/CVE-2026-2003/): PostgreSQL `oidvector` discloses a few bytes of memory

CVSS v3.1 Base Score: [4.3](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?version=3.1&vector=AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

Supported, Vulnerable Versions: 14 - 18.

Improper validation of type `oidvector` in PostgreSQL allows a database user to
disclose a few bytes of server memory. We have not ruled out viability of
attacks that arrange for presence of confidential information in disclosed
bytes, but they seem unlikely. Versions before PostgreSQL 18.2, 17.8, 16.12,
15.16, and 14.21 are affected.

The PostgreSQL project thanks Altan Birler for reporting this problem.

### [CVE-2026-2004](https://www.postgresql.org/support/security/CVE-2026-2004/): PostgreSQL `intarray` missing validation of type of input to selectivity estimator executes arbitrary code

CVSS v3.1 Base Score: [8.8](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?version=3.1&vector=AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Supported, Vulnerable Versions: 14 - 18.

Missing validation of type of input in PostgreSQL `intarray` extension
selectivity estimator function allows an object creator to execute arbitrary
code as the operating system user running the database. Versions before
PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.

The PostgreSQL project thanks Daniel Firer, as part of zeroday.cloud, for
reporting this problem.

### [CVE-2026-2005](https://www.postgresql.org/support/security/CVE-2026-2005/): PostgreSQL `pgcrypto` heap buffer overflow executes arbitrary code

CVSS v3.1 Base Score: [8.8](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?version=3.1&vector=AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Supported, Vulnerable Versions: 14 - 18.

Heap buffer overflow in PostgreSQL `pgcrypto` allows a ciphertext provider to
execute arbitrary code as the operating system user running the database.
Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.

The PostgreSQL project thanks Team Xint Code, as part of zeroday.cloud, for
reporting this problem.

### [CVE-2026-2006](https://www.postgresql.org/support/security/CVE-2026-2006/): PostgreSQL missing validation of multibyte character length executes arbitrary code

CVSS v3.1 Base Score: [8.8](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?version=3.1&vector=AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Supported, Vulnerable Versions: 14 - 18.

Missing validation of multibyte character length in PostgreSQL text manipulation
allows a database user to issue crafted queries that achieve a buffer overrun.
That suffices to execute arbitrary code as the operating system user running the
database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are
affected.

The PostgreSQL project thanks Paul Gerste and Moritz Sanft, as part of
zeroday.cloud, for reporting this problem.

### [CVE-2026-2007](https://www.postgresql.org/support/security/CVE-2026-2007/): PostgreSQL `pg_trgm` heap buffer overflow writes pattern onto server memory

CVSS v3.1 Base Score: [8.2](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?version=3.1&vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H)

Supported, Vulnerable Versions: 18.

Heap buffer overflow in PostgreSQL `pg_trgm` allows a database user to achieve
unknown impacts via a crafted input string. The attacker has limited control
over the byte patterns to be written, but we have not ruled out the viability of
attacks that lead to privilege escalation. PostgreSQL 18.1 and 18.0 are affected.

The PostgreSQL project thanks Heikki Linnakangas for reporting this problem.

Bug Fixes and Improvements
--------------------------

This update fixes over 65 bugs that were reported in the last several
months. The issues listed below affect PostgreSQL 18. Some of these issues may
also affect other supported versions of PostgreSQL.

* Fix inconsistent case-insensitive text matching in the `ltree` extension. If
you use an index on an `ltree` column, in some cases you may need perform a
reindex. See the "Updating" section for additional instructions.
* Executing `ALTER TABLE ... ADD CONSTRAINT` to add a `NOT NULL` constraint on
a column that already is marked as `NOT NULL` now requires the constraint name
to match the existing constraint name.
* Fix trigger behavior when `MERGE` is executed from a `WITH` query to include
rows affected by the `MERGE`.
* Several query planner fixes.
* Fix for text substring search for non-deterministic collations.
* Several fixes for `NOTIFY` error handling and reporting.
* Use the correct ordering function in GIN index parallel builds.
* Fix incorrect handling of incremental backups with tables larger than 1GB.
* Fail recovery if WAL does not exist back to the redo point indicated by the
checkpoint record.
* Fix for `ALTER PUBLICATION` to ensure event triggers contain all set options.
* Several fixes around replication slot initialization.
* Don't advance replication slot after a logical replication parallel worker
apply failure to prevent transaction loss on the subscriber.
* Fix error reporting for SQL/JSON path type mismatches.
* Fix JIT compilation function inlining when using LLVM 17 or later.
* Add new server parameter `file_extend_method` to control use of
`posix_fallocate()`.
* Fix `psql` tab completion for the `VACUUM` command options.
* Fix `pg_dump` to handle concurrent sequence drops gracefully and to fail if
the calling user explicitly lacks privileges to read the sequence.
* Several fixes for `amcheck` around `btree` inspection.
* Avoid crash in `pg_stat_statements` when an `IN` list contains both constants
and non-constant expressions.

This release also updates time zone data files to tzdata release 2025c, which
only has a historical data change for pre-1976 timestamps in Baja California.

Updating
--------

All PostgreSQL update releases are cumulative. As with other minor releases,
users are not required to dump and reload their database or use `pg_upgrade`
in order to apply this update release; you may simply shutdown PostgreSQL and
update its binaries.

If you have indexes on `ltree` columns and do not use the `libc` collation
provider, after upgrading to the latest version, you must reindex any
`ltree` column. You can use `REINDEX INDEX CONCURRENTLY` to minimize the impact
on your system.

Users who have skipped one or more update releases may need to run additional
post-update steps; please see the release notes from earlier versions for
details.

For more details, please see the [release notes](https://www.postgresql.org/docs/release/).

Links
-----

* [Download](https://www.postgresql.org/download/)
* [Release Notes](https://www.postgresql.org/docs/release/)
* [Security](https://www.postgresql.org/support/security/)
* [Versioning Policy](https://www.postgresql.org/support/versioning/)
* [Submit a Bug](https://www.postgresql.org/account/submitbug/)
* [Donate](https://www.postgresql.org/about/donate/)

If you have corrections or suggestions for this release announcement, please send them to the _pgsql-www(at)lists(dot)postgresql(dot)org_ public [mailing list](https://www.postgresql.org/list/).