Security researchers at Wiz’s zeroday.cloud event unveiled AI finds 20-year-old bugs in PostgreSQL and MariaDB, exposing buffer overflow flaws dormant for over two decades in these open-source database engines. These critical vulnerabilities, rated high to critical severity, lurk in core memory handling routines, potentially enabling remote code execution on unpatched systems. AI-driven tools accelerated discovery by scanning vast codebases for patterns humans might overlook, highlighting a seismic shift in vulnerability hunting.
The flaws stem from improper bounds checking in buffer operations, a classic C programming pitfall from the early 2000s. In PostgreSQL, one bug traces to code predating version 8.0, while MariaDB shares a similar inherited issue from its MySQL lineage. Attackers could exploit these via crafted queries, overflowing stack or heap buffers to overwrite return addresses or inject shellcode. This isn’t theoretical: similar overflows have fueled exploits in production environments, from web apps to enterprise data warehouses.
AI-Powered Vulnerability Discovery
Traditional static analysis tools like Coverity or SonarQube rely on rule-based heuristics, but AI finds 20-year-old bugs by training on massive datasets of known CVEs. At zeroday.cloud, researchers deployed large language models fine-tuned for code semantics, identifying anomalous memory accesses in under hours—tasks that once took teams weeks.
- Semantic pattern matching: AI correlates buffer sizes with write operations across function call graphs.
- Historical code diffusion: Models simulate code evolution, flagging legacy patterns like unchecked `strcpy` calls.
- Fuzzing integration: AI generates targeted inputs, combining symbolic execution with neural-guided mutation.
This approach mirrors recent successes, such as the AI scan uncovering a 9-year-old Linux kernel bug, proving machine learning’s edge in legacy code audits.
Technical Breakdown of the Bugs
Delve into the mechanics: PostgreSQL‘s affected routine mishandles variable-length data in tuple deserialization, where a 32-bit length field exceeds allocated heap space. MariaDB‘s parallel issue hits during index key processing, vulnerable to oversized BLOB inputs.
For IT pros, CVSS scores likely exceed 8.0 due to low complexity and high impact—remote exploitation without auth. Patch promptly via official repos: PostgreSQL 17.0+ and MariaDB 11.4+. Test in staging with tools like Valgrind for memory errors or AFL++ for fuzzing.
Enterprises running these DBs—think 70% of cloud workloads per DB-Engines rankings—face elevated risk in microservices or Kubernetes clusters. Integrate OWASP ZAP into CI/CD pipelines to catch regressions.
Implications for Database Security
Buffer overflows persist because open-source projects prioritize features over exhaustive rewrites. AI changes this by automating triage: tools like GitHub’s CodeQL now incorporate ML for zero-day prediction. Yet, false positives remain a hurdle—human validation is essential.
Network engineers should segment DB traffic with zero-trust policies, enforcing mTLS via CIS benchmarks. Monitor for anomalous query patterns using SIEM integrations like ELK Stack, alerting on spike in large payloads.
Adopting AI-driven security scanning in vulnerability management workflows is non-negotiable for compliance with standards like PCI-DSS or GDPR.
The Big Picture
These discoveries underscore AI’s dual role: unearthing relics while demanding robust defenses. IT teams must evolve from reactive patching to proactive AI audits, especially for PostgreSQL and MariaDB in hybrid clouds. Forward-scan your estate with open tools like Semgrep enhanced by LLMs, and contribute to bounty programs for faster fixes.
The trend points to an era where AI routinely exposes “zombie” bugs, forcing a rethink of software longevity. Prioritize memory-safe languages like Rust for new extensions—PostgreSQL already experiments with pgrx crates.