September 26, 2024: PostgreSQL 17 Released!

CVE-2021-32027

Buffer overrun from integer overflow in array subscripting calculations

While modifying certain SQL array values, missing bounds checks let authenticated database users write arbitrary bytes to a wide area of server memory.

The PostgreSQL project thanks Tom Lane for reporting this problem.

Version Information

Affected Version Fixed In Fix Published
13 13.3 May 13, 2021
12 12.7 May 13, 2021
11 11.12 May 13, 2021
10 10.17 May 13, 2021
9.6 9.6.22 May 13, 2021

For more information about PostgreSQL versioning, please visit the versioning page.

CVSS 3.0

Overall Score 6.5
Component core server
Vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Reporting Security Vulnerabilities

If you wish to report a new security vulnerability in PostgreSQL, please send an email to security@postgresql.org.

For reporting non-security bugs, please see the Report a Bug page.