PostgreSQL 18.3 Emergency Patch

Why an Out-of-Cycle Release?

PostgreSQL normally releases minor updates on a quarterly schedule. However, this out-of-cycle release was rushed out within just 14 days after version 18.2. The main reasons:

• Some bugs caused standby servers to halt — directly impacting High Availability systems
• Some bugs caused application crashes when using text search or JSON functions
• Some bugs caused queries to return wrong results silently — the most dangerous type because they are hard to detect

The 9 Bugs Fixed in This Patch

1. Standby Server Halting — "could not access status of transaction"

This is the most severe bug. It causes standby servers (read replicas) to halt with the error "could not access status of transaction," meaning your disaster recovery and high availability systems become non-functional until patched.

2. substring() Encoding Error on Non-ASCII Text

The substring() function returns incorrect results when used with non-ASCII text such as Thai, Chinese, or Japanese characters — a regression from the CVE-2026-2006 fix in the previous version. For ERP systems storing multilingual data, this bug could cause reports to display incorrect information silently.

3. pg_trgm strict_word_similarity() Crash

The strict_word_similarity() function in the pg_trgm extension, used for fuzzy text search, causes PostgreSQL to crash immediately — a regression from the CVE-2026-2007 fix. Organizations using pg_trgm for searching customer names, product names, or addresses are directly affected.

4. json_strip_nulls() Function Volatility — Now Immutable

The json_strip_nulls() function was previously marked as Stable but should be Immutable (always returns the same output for the same input). This fix allows json_strip_nulls() to be used in expression indexes — improving query performance for JSON data.

5. LATERAL UNION ALL NULL — Wrong Query Results

When using LATERAL JOIN with UNION ALL containing NULL values in some columns, the system returns incorrect results without any error — this type of bug is extremely dangerous because wrong data gets used for decision-making without anyone noticing.

6. NOT NULL Constraint Naming Conflicts

NOT NULL constraint naming could conflict with existing constraints, preventing table creation or column additions — impacting migration scripts and schema changes in production systems.

7. pg_stat_get_backend_wait_event() for Auxiliary Processes

The wait event monitoring function returns incorrect data for auxiliary processes such as background writer and checkpointer — impacting performance monitoring and troubleshooting.

8. Composite-type Casting in PL/pgSQL

Composite-type casting in PL/pgSQL fails in certain cases — impacting stored procedures that use record types or row types, a common pattern in ERP systems with complex business logic.

9. hstore Binary Input Crash on Duplicate Keys

The hstore extension crashes when receiving binary input with duplicate keys — impacting systems that use hstore for key-value storage such as custom fields or metadata.

Impact Summary by Severity

Severity	Bug	Impact
Critical	Standby halting	HA/DR becomes non-functional
Critical	pg_trgm crash, hstore crash	Immediate system crash
High	substring encoding, LATERAL UNION ALL	Silent data corruption
Medium	NOT NULL naming, PL/pgSQL casting	Schema changes fail
Low	json_strip_nulls, wait_event	Performance/monitoring inaccuracies

Affected Versions

This patch covers all supported PostgreSQL branches:

Branch	Buggy Version	Fixed Version
PostgreSQL 18	18.2	18.3
PostgreSQL 17	17.8	17.9
PostgreSQL 16	16.12	16.13
PostgreSQL 15	15.16	15.17
PostgreSQL 14	14.21	14.22

Why This Matters for Organizations Using Saeree ERP

Saeree ERP has been using PostgreSQL as its primary database for over 20 years, which means:

• All financial data — accounting, inventory, procurement — runs on PostgreSQL
• Standby servers used for DR and read replicas may halt if not patched
• Reports using multilingual data may display incorrect results due to the substring encoding bug
• Stored procedures using PL/pgSQL may malfunction due to the composite-type casting bug

Database patching is not something you do "when you have free time" — it must be done immediately when patches are released, especially out-of-cycle releases issued for critical issues.

- Saeree ERP Team

Best Practices for Patching Production Databases

For organizations that need to update PostgreSQL in production, follow these steps:

1. Check your current version — Run SELECT version(); on every server, both primary and standby
2. Read the release notes — Determine which bugs affect your system. Not every bug requires panic, but you must assess the impact
3. Test in staging first — Update your staging environment and run your application test suite to confirm nothing breaks
4. Back up your data — Create a backup using pg_dump or pg_basebackup before every update
5. Update standby before primary — For PostgreSQL minor releases, you can update the binary and restart. No pg_upgrade is needed
6. Verify after update — Run SELECT version(); again, check standby replication lag, and test core application functionality

Summary — What You Need to Do Now

1. Check your PostgreSQL version — If you're running a buggy version (18.2, 17.8, 16.12, 15.16, 14.21), update immediately
2. Update to the latest version in your branch (18.3, 17.9, 16.13, 15.17, 14.22)
3. Check your standby servers — If using streaming replication, verify they are still functioning normally
4. Plan an upgrade if you're still on PostgreSQL 13 or older — they have reached end of life

If your organization uses Saeree ERP and needs assistance updating PostgreSQL or planning disaster recovery, contact our consulting team for a system readiness assessment.

References

• PostgreSQL 18.3, 17.9, 16.13, 15.17, and 14.22 Released — postgresql.org
• PostgreSQL Release Notes — postgresql.org