CVE-2025-4207

Buffer over-read in PostgreSQL GB18030 encoding validation allows a database input provider to achieve temporary denial of service on platforms where a 1-byte over-read can elicit process termination. This affects the database server and also libpq. Versions before PostgreSQL 17.5, 16.9, 15.13, 14.18, and 13.21 are affected.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
postgresql-10	25.04 plucky	Not in release
	24.10 oracular	Not in release
	24.04 LTS noble	Not in release
	22.04 LTS jammy	Not in release
	20.04 LTS focal	Not in release
	18.04 LTS bionic	Needs evaluation
postgresql-12	25.04 plucky	Not in release
	24.10 oracular	Not in release
	24.04 LTS noble	Not in release
	22.04 LTS jammy	Not in release
	20.04 LTS focal	Fixed 12.22-0ubuntu0.20.04.4
postgresql-14	25.04 plucky	Not in release
	24.10 oracular	Not in release
	24.04 LTS noble	Not in release
	22.04 LTS jammy	Fixed 14.18-0ubuntu0.22.04.1
	20.04 LTS focal	Not in release
postgresql-16	25.04 plucky	Not in release
	24.10 oracular	Fixed 16.9-0ubuntu0.24.10.1
	24.04 LTS noble	Fixed 16.9-0ubuntu0.24.04.1
	22.04 LTS jammy	Not in release
	20.04 LTS focal	Not in release
postgresql-17	25.04 plucky	Fixed 17.5-0ubuntu0.25.04.1
	24.10 oracular	Not in release
	24.04 LTS noble	Not in release
	22.04 LTS jammy	Not in release
	20.04 LTS focal	Not in release
postgresql-9.3	25.04 plucky	Not in release
	24.10 oracular	Not in release
	24.04 LTS noble	Not in release
	22.04 LTS jammy	Not in release
	20.04 LTS focal	Not in release
	14.04 LTS trusty	Vulnerable, fix deferred
postgresql-9.5	25.04 plucky	Not in release
	24.10 oracular	Not in release
	24.04 LTS noble	Not in release
	22.04 LTS jammy	Not in release
	20.04 LTS focal	Not in release
	16.04 LTS xenial	Needs evaluation

Notes

leosilva

PostgreSQL 9.3 is end of life upstream, and no updates are are available. Marking as deferred in -esm-main releases.

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
postgresql-12	Upstream: https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=cbadeaca9271a1bade8ef9790bae09dc92e0ed30
postgresql-17	Upstream: https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=ec5f89e8a29f32c7dbc4dd8734ed8406d771de2f

Severity score breakdown

Parameter	Value
Base score	5.9 · Medium
Attack vector	Network
Attack complexity	High
Privileges required	None
User interaction	None
Scope	Unchanged
Confidentiality	None
Integrity impact	None
Availability impact	High
Vector	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Cvss 3 Severity Score

Status

Notes

leosilva

Patch details

Severity score breakdown

References

Related Ubuntu Security Notices (USN)

Other references