A parameter you cannot change. block_size lives in the “Preset Options” section of the docs, alongside its read-only cousins like data_checksums, wal_block_size, and server_version. It reports the size of a PostgreSQL page — the fundamental unit of on-disk storage and buffer-pool accounting. Default is 8192 bytes. It is read-only at runtime, settable only when PostgreSQL is compiled,

These two parameters close out the bgwriter cluster. Together with bgwriter_delay, they govern how the background writer decides what to write each round, and they are where the actual leverage lives — the previous post ended by saying so explicitly. Here is why.

The B cluster shifts gears: from one-off oddities to the background writer parameters, which span four GUCs. We do the first two as a pair because bgwriter_delay introduces the process at all, and bgwriter_flush_after slots cleanly into the writeback tour from backend_flush_after.

On May 4, ZeroDay.Cloud published the technical writeups for CVE-2026-2005 and CVE-2026-2006. Both are remote code execution bugs in pgcrypto. Both have been in the tree since pgcrypto was first contributed in 2005.

That’s the headline. It deserves a beat to land.

CVE-2026-2005 is a 32-byte heap overflow in pgp_parse_pubenc_sesskey(). The code decrypts an RSA or

A developer option, and a genuinely useful one. backtrace_functions takes a comma-separated list of internal C function names; if an error is raised inside any function in the list, PostgreSQL writes a C-level stack trace to the server log alongside the error. Added in PostgreSQL 13. Default empty. Context is superuser (or any user with the appropriate SET privilege). Not

PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are out as of May 14, 2026. The release fixes eleven security issues and more than sixty bugs. That is not a typo. Eleven CVEs is the largest single-release security batch I can remember, and three of them are CVSS 8.8 with practical exploitation paths. Patch this week. If you can patch

MERGE PARTITIONS and SPLIT PARTITION are back in PostgreSQL 19. They were merged for PostgreSQL 17, reverted before GA, and have spent a year in rework. The version landing in 19 takes a heavier lock than the original and makes fewer ambitious promises. This is the right outcome, and the story of how it got here is worth understanding if

The B cluster’s first historical artifact. backslash_quote controls whether \' is accepted as a way of representing a single quote inside a SQL string literal. It exists because of a 2006 SQL injection vulnerability involving multibyte character encodings, and almost twenty years on it is still in the GUC list because removing it would break some application somewhere. PostgreSQL is

CVE-2026-2005 is a heap buffer overflow in the OpenPGP code path of pgcrypto. Feeding crafted ciphertext to pgp_sym_decrypt or its siblings allows arbitrary code execution as the operating system user the database is running as. The bug has been there since approximately 2005. Twenty years of pgcrypto shipping in every PostgreSQL release. Twenty years of “battle-tested” extension code. Twenty

We open the B cluster with a parameter whose existence is a confession. PostgreSQL has a complicated relationship with the Linux page cache, and backend_flush_after is one of four GUCs that exist to mediate that relationship. The other three — bgwriter_flush_after, checkpoint_flush_after, and wal_writer_flush_after — will get their own posts in due course. They share a mechanism and