Ubuntu 26.04 PostgreSQL Critical SQL Injection DoS Vuln USN-8294-1

ubuntu

May 21, 2026

Several security issues were fixed in PostgreSQL.

Summary

Several security issues were fixed in PostgreSQL.

Software Description:

- postgresql-18: Object-relational SQL database

- postgresql-17: Object-relational SQL database

- postgresql-16: Object-relational SQL database

- postgresql-14: Object-relational SQL database

Details:

It was discovered that PostgreSQL did not correctly enforce authorization

for CREATE TYPE. An attacker could possibly use this issue to execute

arbitrary SQL functions. (CVE-2026-6472)

It was discovered that PostgreSQL incorrectly handled large user input in

multiple server features. An attacker could possibly use this issue to

cause PostgreSQL to crash, resulting in a denial of service, or execute

arbitrary code. (CVE-2026-6473)

It was discovered that PostgreSQL incorrectly handled format strings in

the timeofday() function. An attacker could possibly use this issue to

obtain sensitive information. (CVE-2026-6474)

It was discovered that PostgreSQL incorrectly followed symbolic links in

pg_basebackup and pg_...

Read the Full Advisory

Topics Covered

security advisory denial of service SQL Injection critical Ubuntu PostgreSQL

Update Instructions

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 26.04 LTS
  postgresql-18                   18.4-0ubuntu0.26.04.1

Ubuntu 25.10
  postgresql-17                   17.10-0ubuntu0.25.10.1

Ubuntu 24.04 LTS
  postgresql-16                   16.14-0ubuntu0.24.04.1

Ubuntu 22.04 LTS
  postgresql-14                   14.23-0ubuntu0.22.04.1

This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart PostgreSQL to
make all the necessary changes.