ALAS2023-2026-1458

Amazon Linux 2023 Security Advisory: ALAS2023-2026-1458
Advisory Released Date: 2026-03-05
Advisory Updated Date: 2026-03-05

Severity: Important

References: CVE-2026-2003 CVE-2026-2004 CVE-2026-2005 CVE-2026-2006
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

Improper validation of type "oidvector" in PostgreSQL allows a database user to disclose a few bytes of server memory. We have not ruled out viability of attacks that arrange for presence of confidential information in disclosed bytes, but they seem unlikely. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected. (CVE-2026-2003)

Missing validation of type of input in PostgreSQL intarray extension selectivity estimator function allows an object creator to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected. (CVE-2026-2004)

Heap buffer overflow in PostgreSQL pgcrypto allows a ciphertext provider to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected. (CVE-2026-2005)

Missing validation of multibyte character length in PostgreSQL text manipulation allows a database user to issue crafted queries that achieve a buffer overrun. That suffices to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected. (CVE-2026-2006)

Affected Packages:

postgresql16

Issue Correction:
Run dnf update postgresql16 --releasever 2023.10.20260302 or dnf update --advisory ALAS2023-2026-1458 --releasever 2023.10.20260302 to update your system.
More information on how to update your system can be found on this page: Amazon Linux 2023 documentation

New Packages:

aarch64:
    postgresql16-static-16.12-1.amzn2023.0.1.aarch64
    postgresql16-pltcl-debuginfo-16.12-1.amzn2023.0.1.aarch64
    postgresql16-private-libs-16.12-1.amzn2023.0.1.aarch64
    postgresql16-server-debuginfo-16.12-1.amzn2023.0.1.aarch64
    postgresql16-test-debuginfo-16.12-1.amzn2023.0.1.aarch64
    postgresql16-contrib-16.12-1.amzn2023.0.1.aarch64
    postgresql16-upgrade-devel-debuginfo-16.12-1.amzn2023.0.1.aarch64
    postgresql16-upgrade-16.12-1.amzn2023.0.1.aarch64
    postgresql16-plpython3-16.12-1.amzn2023.0.1.aarch64
    postgresql16-llvmjit-debuginfo-16.12-1.amzn2023.0.1.aarch64
    postgresql16-upgrade-debuginfo-16.12-1.amzn2023.0.1.aarch64
    postgresql16-test-16.12-1.amzn2023.0.1.aarch64
    postgresql16-docs-16.12-1.amzn2023.0.1.aarch64
    postgresql16-plpython3-debuginfo-16.12-1.amzn2023.0.1.aarch64
    postgresql16-private-devel-16.12-1.amzn2023.0.1.aarch64
    postgresql16-server-devel-debuginfo-16.12-1.amzn2023.0.1.aarch64
    postgresql16-upgrade-devel-16.12-1.amzn2023.0.1.aarch64
    postgresql16-docs-debuginfo-16.12-1.amzn2023.0.1.aarch64
    postgresql16-pltcl-16.12-1.amzn2023.0.1.aarch64
    postgresql16-debuginfo-16.12-1.amzn2023.0.1.aarch64
    postgresql16-llvmjit-16.12-1.amzn2023.0.1.aarch64
    postgresql16-contrib-debuginfo-16.12-1.amzn2023.0.1.aarch64
    postgresql16-private-libs-debuginfo-16.12-1.amzn2023.0.1.aarch64
    postgresql16-plperl-debuginfo-16.12-1.amzn2023.0.1.aarch64
    postgresql16-plperl-16.12-1.amzn2023.0.1.aarch64
    postgresql16-server-16.12-1.amzn2023.0.1.aarch64
    postgresql16-16.12-1.amzn2023.0.1.aarch64
    postgresql16-server-devel-16.12-1.amzn2023.0.1.aarch64
    postgresql16-debugsource-16.12-1.amzn2023.0.1.aarch64

noarch:
    postgresql16-test-rpm-macros-16.12-1.amzn2023.0.1.noarch

src:
    postgresql16-16.12-1.amzn2023.0.1.src

x86_64:
    postgresql16-test-debuginfo-16.12-1.amzn2023.0.1.x86_64
    postgresql16-plperl-16.12-1.amzn2023.0.1.x86_64
    postgresql16-server-devel-debuginfo-16.12-1.amzn2023.0.1.x86_64
    postgresql16-plpython3-16.12-1.amzn2023.0.1.x86_64
    postgresql16-private-libs-debuginfo-16.12-1.amzn2023.0.1.x86_64
    postgresql16-contrib-debuginfo-16.12-1.amzn2023.0.1.x86_64
    postgresql16-16.12-1.amzn2023.0.1.x86_64
    postgresql16-upgrade-devel-debuginfo-16.12-1.amzn2023.0.1.x86_64
    postgresql16-plperl-debuginfo-16.12-1.amzn2023.0.1.x86_64
    postgresql16-plpython3-debuginfo-16.12-1.amzn2023.0.1.x86_64
    postgresql16-server-debuginfo-16.12-1.amzn2023.0.1.x86_64
    postgresql16-static-16.12-1.amzn2023.0.1.x86_64
    postgresql16-llvmjit-debuginfo-16.12-1.amzn2023.0.1.x86_64
    postgresql16-private-libs-16.12-1.amzn2023.0.1.x86_64
    postgresql16-docs-16.12-1.amzn2023.0.1.x86_64
    postgresql16-docs-debuginfo-16.12-1.amzn2023.0.1.x86_64
    postgresql16-server-16.12-1.amzn2023.0.1.x86_64
    postgresql16-pltcl-debuginfo-16.12-1.amzn2023.0.1.x86_64
    postgresql16-pltcl-16.12-1.amzn2023.0.1.x86_64
    postgresql16-private-devel-16.12-1.amzn2023.0.1.x86_64
    postgresql16-debuginfo-16.12-1.amzn2023.0.1.x86_64
    postgresql16-upgrade-debuginfo-16.12-1.amzn2023.0.1.x86_64
    postgresql16-debugsource-16.12-1.amzn2023.0.1.x86_64
    postgresql16-test-16.12-1.amzn2023.0.1.x86_64
    postgresql16-server-devel-16.12-1.amzn2023.0.1.x86_64
    postgresql16-upgrade-devel-16.12-1.amzn2023.0.1.x86_64
    postgresql16-llvmjit-16.12-1.amzn2023.0.1.x86_64
    postgresql16-contrib-16.12-1.amzn2023.0.1.x86_64
    postgresql16-upgrade-16.12-1.amzn2023.0.1.x86_64

Additional References

Release Notes: Amazon Linux 2023 Release Notes

Red Hat: CVE-2026-2003, CVE-2026-2004, CVE-2026-2005, CVE-2026-2006

Mitre: CVE-2026-2003, CVE-2026-2004, CVE-2026-2005, CVE-2026-2006