CVE-2025-12818

Published Nov 13, 2025

Last updated 4 months ago

CVSS medium 5.9

Overview

Description
Integer wraparound in multiple PostgreSQL libpq client library functions allows an application input provider or network peer to cause libpq to undersize an allocation and write out-of-bounds by hundreds of megabytes. This results in a segmentation fault for the application using libpq. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected.
Source
f86ef6dc-4d3a-42ad-8f28-e6d5547a5007
NVD status
Awaiting Analysis

Risk scores

CVSS 3.1

Type
Secondary
Base score
5.9
Impact score
3.6
Exploitability score
2.2
Vector string
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Severity
MEDIUM

Weaknesses

f86ef6dc-4d3a-42ad-8f28-e6d5547a5007
CWE-190

Social media

Hype score
Not currently trending

  1. 🐘 Attack arithmetic: how an integer overflow in PostgreSQL libpq leads to denial of service. Our researcher Aleksey Solovev discovered the vulnerability CVE-2025-12818, which may cause a product using the libpq PostgreSQL library to crash. https://t.co/fP2LJFmqPS https://t.c

    @ptswarm

    10 Mar 2026

    2376 Impressions

    9 Retweets

    20 Likes

    5 Bookmarks

    0 Replies

    0 Quotes

  2. URGENT: CVE-2025-12818 - Critical #PostgreSQL libpq buffer overflow vulnerability (CVSS 8.5+). Remote code execution possible via connection string exploits. Read more: πŸ‘‰ https://t.co/XUtyH6kX5z #Security #Oracle https://t.co/nTlWfjNnjj

    @Cezar_H_Linux

    16 Jan 2026

    43 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. 🚨 #PostgreSQL 13 users: Patch immediately! CVE-2025-12817 (auth bypass) & CVE-2025-12818 (libpq crash) can cause DoS. Fixed in Debian LTS DLA-4420-1. Guide: Read more: πŸ‘‰ https://t.co/CpGqtBmLqc #Security https://t.co/ZEgFZfnAia

    @Cezar_H_Linux

    26 Dec 2025

    73 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  4. openSUSE Leap 15.6 releases PostgreSQL 13.23 update fixing critical flaws CVE-2025-12817 (missing CREATE STATISTICS privilege check) and CVE-2025-12818 (libpq integer overflow). Patch now. #Vulnerability https://t.co/vW3XLXU9qN

    @threatcluster

    9 Dec 2025

    12 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. 🚨 Security Advisory for #openSUSE Tumbleweed 🚨 A new patch is available for PostgreSQL 17, addressing two vulnerabilities (CVE-2025-12817, CVE-2025-12818). Read more: πŸ‘‰ https://t.co/kLkVNJwDs4 #Security https://t.co/BY5XBkCVFf

    @Cezar_H_Linux

    30 Nov 2025

    63 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. 2 CVEs in PostgreSQL fixed https://t.co/wFkYuCkskw CVE-2025-12817: PostgreSQL CREATE STATISTICS does not check for schema CREATE privilege CVE-2025-12818: PostgreSQL libpq undersizes allocations, via integer wraparound PostgreSQL 13 EOL Notice

    @oss_security

    14 Nov 2025

    710 Impressions

    0 Retweets

    7 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  7. CVE-2025-12818 Integer wraparound in multiple PostgreSQL libpq client library functions allows an application input provider or network peer to cause libpq to undersize an allocatio… https://t.co/7maWwQdgQF

    @CVEnew

    13 Nov 2025

    115 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

References

Sources include official advisories and independent security research.