Alerts This Week
Warning Icon 1 1,149
Alerts This Week
Warning Icon 1 1,149

Debian LTS: postgresql-13 Critical DoS Integer Wraparound CVE-2025-12817

debian lts
Calendar Grey December 26, 2025
Dist Debian Esm H88
Critical updates for Debian LTS postgresql-13 address denial of service and integer wraparound security flaws.
A couple of vulnerabilities were discovered in postgresql-13, the widely-popular database management system: CVE-2025-12817 Missing authorization in PostgreSQL CREATE STATISTICS co...

Summary

CVE-2025-12817

Missing authorization in PostgreSQL CREATE STATISTICS command
allows a table owner to achieve denial of service against other
CREATE STATISTICS users by creating in any schema. A later
CREATE STATISTICS for the same name, from a user having the
CREATE privilege, would then fail.

CVE-2025-12818

Integer wraparound in multiple PostgreSQL libpq client library
functions allows an application input provider or network peer
to cause libpq to undersize an allocation and write out-of-bounds
by hundreds of megabytes. This results in a segmentation fault
for the application using libpq.

For Debian 11 bullseye, these problems have been fixed in version
13.23-0+deb11u1.

We recommend that you upgrade your postgresql-13 packages.

For the detailed security status of postgresql-13 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/source-package/postgresql-13

Read the Full Advisory


Severity
critical
Lowest
Low
Medium
High
Critical

Package: postgresql-13
Version: 13.23-0+deb11u1
CVE ID: CVE-2025-12817 CVE-2025-12818

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here