PostgreSQL has released updates for versions 18.1, 17.7, 16.11, 15.15, 14.20, and even the older end-of-life version 13.23. These updates fix over fifty bugs and two serious security flaws identified by users in recent months. The security issues include a vulnerability in the CREATE STATISTICS command that could lead to an incorrect security setup for other users and a critical bug affecting PostgreSQL's core library that could cause memory mismanagement and crashes. The new version also includes various other improvements and fixes, such as stabilizing BRIN indexes and partitioned tables, and addressing potential memory leaks in PL/Python functions.

PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 released

New PostgreSQL updates are now available, covering recent releases including 18.1, 17.7, 16.11, 15.15, 14.20, and yes, even the old end-of-life 13.23 version.

This latest release fixes two serious security flaws plus a long list of bugs, over fifty of them identified during the last few months by users.

For anyone still using PostgreSQL 13, this update means that version has reached its final supported state and won’t get any further security patches or bug fixes from here on out. Upgrading to one of these newer available versions is probably wise if you're managing production databases right now.

Two security issues stand out in this release:

• One vulnerability involves the CREATE STATISTICS command not checking whether a schema exists before trying to create it. This means table owners might incorrectly set up security for other users later on. 

• Another critical bug affects PostgreSQL's core library, libpq, specifically the integer wraparound, causing memory mismanagement and potential crashes. That’s CVE-2025-12818 with a CVSS v3.1 score of 5.9. This could allow attackers to make the application crash by writing too much data into its memory space.

A researcher named Aleksey Solovev from Positive Technologies reported both significant security issues, helping improve everyone’s database safety.

Beyond these major fixes, PostgreSQL developers have tackled more than fifty other bugs that were reported recently. Some are specific problems for version 18, but many apply across several supported versions too.

Specifically patched in the update: there's a bug related to hash right semi-joins where duplicate rows could slip through and consume excessive memory. Here is good news. Another fix addresses parallel GIN index builds, which resolves some previous out-of-memory issues.

Other notable improvements include:

• Stabilizing BRIN indexes and partitioned tables to avoid unexpected failures
• Making sure generated columns aren't included accidentally as part of a table's key or loaded via the COPY command, which prevents certain types of data confusion
• Ensuring pg_stat_replication provides accurate information about replication lag
• Preventing disruptions during failovers by stopping WAL receivers from being shut down unnecessarily

And for developers using PL/pgSQL or dealing with logical replication:

• They refined how assignments work with DISTINCT GROUP BY clauses
• Addressed potential memory leaks within the system when errors occur in PL/Python functions
• Improved error handling logic related to Windows sockets and security (GSSAPI) specifically inside libpq

Plus, they fixed a couple of nitty-gritty details: ensuring NOT NULL constraints for inherited columns get reported properly during backups or database dumps, and making sure foreign key constraints maintain the right order when being dumped too.

The new version can be downloaded from here. You can find the release notes here.