PostgreSQL 17.4 Released
The PostgreSQL Global Development Group has released an update to all supported versions, including PostgreSQL 17.4, 16.8, 15.12, 14.17, and 13.20.
This release addresses several bugs reported since the previous update and includes two security fixes relevant to all supported versions.
Security fixes
CVE-2026-XXXX — Incorrect privilege checks in certain COPY TO scenarios could allow
a user with limited permissions to read files outside their intended scope when combined
with a security-definer function. All supported versions are affected.
CVE-2026-YYYY — A race condition in the autovacuum launcher could cause the postmaster
to crash under specific timing conditions when autovacuum_max_workers is set to a high value.
Notable bug fixes in 17.4
- Fixed incorrect results from parallel hash joins when the inner relation contains many NULLs
- Corrected logical replication behaviour when a subscriber restarts mid-transaction on a large transaction that spans multiple WAL segments
- Fixed a memory leak in
pg_stat_activitywhen tracking query text for long-running sessions - Improved recovery time by reducing lock contention during hot standby replay
Upgrade
As with all minor releases, this is a drop-in upgrade — no pg_upgrade or dump/restore required.
Restart PostgreSQL after installing the updated packages.
Full release notes are available at postgresql.org.