CVE-2025-12818 – PostgreSQL — libpq Integer Wraparound Leading to Out-of-Bounds Write

CVE-2025-12818 affects the PostgreSQL libpq client library, used by virtually every application that connects to a PostgreSQL database. The CVSS score is 5.9, which is Medium severity. No real-world exploitation has been confirmed. An integer wraparound flaw in multiple libpq functions allows a network peer or malicious input source to cause the library to undersize a memory allocation, triggering an out-of-bounds write of up to hundreds of megabytes. The result is a segmentation fault, crashing the application using libpq. Affected versions include PostgreSQL 13 through 18 prior to the patched releases.

Because libpq is embedded in application code rather than the database server itself, this vulnerability affects any software that links against it, including web applications, reporting tools, middleware, and data pipelines. A crash triggered remotely causes application downtime and can disrupt business operations dependent on database connectivity. The fix is in PostgreSQL versions 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23. All applications using earlier libpq builds should be updated promptly.