Vulnerability-Lookup

RHSA-2026:21182

Vulnerability from csaf_redhat - Published: 2026-05-26 23:31 - Updated: 2026-06-04 04:35

Summary

Red Hat Security Advisory: Red Hat Hardened Images RPMs bug fix and enhancement update

Severity

Important

Notes

Topic: An update for Red Hat Hardened Images RPMs is now available.

Details: This update includes the following RPMs: postgresql17: * postgresql17-17.10-0.1.hum1 (aarch64, x86_64) * postgresql17-contrib-17.10-0.1.hum1 (aarch64, x86_64) * postgresql17-docs-17.10-0.1.hum1 (aarch64, x86_64) * postgresql17-plperl-17.10-0.1.hum1 (aarch64, x86_64) * postgresql17-plpython3-17.10-0.1.hum1 (aarch64, x86_64) * postgresql17-pltcl-17.10-0.1.hum1 (aarch64, x86_64) * postgresql17-private-devel-17.10-0.1.hum1 (aarch64, x86_64) * postgresql17-private-libs-17.10-0.1.hum1 (aarch64, x86_64) * postgresql17-server-17.10-0.1.hum1 (aarch64, x86_64) * postgresql17-server-devel-17.10-0.1.hum1 (aarch64, x86_64) * postgresql17-static-17.10-0.1.hum1 (aarch64, x86_64) * postgresql17-test-17.10-0.1.hum1 (aarch64, x86_64) * postgresql17-test-rpm-macros-17.10-0.1.hum1 (noarch) * postgresql17-upgrade-17.10-0.1.hum1 (aarch64, x86_64) * postgresql17-upgrade-devel-17.10-0.1.hum1 (aarch64, x86_64) * postgresql17-17.10-0.1.hum1.src (src)

Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

CVE-2026-6475

A flaw was found in PostgreSQL. This vulnerability, related to symlink following in pg_basebackup (plain format) and pg_rewind, allows an origin superuser to overwrite local files. By exploiting this, an attacker could potentially hijack the operating system account. This attack has practical implications if specific actions are taken, such as moving files to a different virtual machine (VM) or snapshotting the VM, between the execution of these commands and the server's restart.

6.7 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE-59 - Improper Link Resolution Before File Access ('Link Following')

Affected products

Fixed 4 products

Product	Version	Remediation
Unresolved product id: Red Hat Hardened Images:postgresql17-main@aarch64	—	Vendor Fix fix
Unresolved product id: Red Hat Hardened Images:postgresql17-main@noarch	—	Vendor Fix fix
Unresolved product id: Red Hat Hardened Images:postgresql17-main@src	—	Vendor Fix fix
Unresolved product id: Red Hat Hardened Images:postgresql17-main@x86_64	—	Vendor Fix fix

Threats

Impact Moderate

CVE-2026-6477

A flaw was found in PostgreSQL libpq. A server superuser can exploit a buffer overflow vulnerability in the PQfn function, which is used by client functions such as lo_export(), lo_read(), lo_lseek64(), and lo_tell64(). This allows the superuser to send an arbitrarily large response, overwriting the client's stack memory, specifically in tools like psql and pg_dump. This could lead to arbitrary code execution on the client system.

8.4 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H

CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

Affected products

Fixed 4 products

Product	Version	Remediation
Unresolved product id: Red Hat Hardened Images:postgresql17-main@aarch64	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat Hardened Images:postgresql17-main@noarch	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat Hardened Images:postgresql17-main@src	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat Hardened Images:postgresql17-main@x86_64	—	Vendor Fix fix Workaround

Threats

Impact Important

CVE-2026-6478

A flaw was found in PostgreSQL. This vulnerability, a covert timing channel, exists in the comparison of MD5-hashed passwords during authentication. A remote attacker could exploit this to recover user credentials, gaining unauthorized access to the database. This issue specifically impacts databases that retain MD5-hashed passwords from upgrades of PostgreSQL 13 or earlier.

8.2 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CWE-385 - Covert Timing Channel

Affected products

Fixed 4 products

Product	Version	Remediation
Unresolved product id: Red Hat Hardened Images:postgresql17-main@aarch64	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat Hardened Images:postgresql17-main@noarch	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat Hardened Images:postgresql17-main@src	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat Hardened Images:postgresql17-main@x86_64	—	Vendor Fix fix Workaround

Threats

Impact Important

References

22 references

URL	Category
https://access.redhat.com/errata/RHSA-2026:21182	self
https://images.redhat.com/	external
https://access.redhat.com/security/cve/CVE-2026-6478	external
https://access.redhat.com/security/updates/classi…	external
https://access.redhat.com/security/cve/CVE-2026-6477	external
https://access.redhat.com/security/cve/CVE-2026-6475	external
https://security.access.redhat.com/data/csaf/v2/a…	self
https://access.redhat.com/security/cve/CVE-2026-6475	self
https://bugzilla.redhat.com/show_bug.cgi?id=2477439	external
https://www.cve.org/CVERecord?id=CVE-2026-6475	external
https://nvd.nist.gov/vuln/detail/CVE-2026-6475	external
https://www.postgresql.org/support/security/CVE-2…	external
https://access.redhat.com/security/cve/CVE-2026-6477	self
https://bugzilla.redhat.com/show_bug.cgi?id=2477442	external
https://www.cve.org/CVERecord?id=CVE-2026-6477	external
https://nvd.nist.gov/vuln/detail/CVE-2026-6477	external
https://www.postgresql.org/support/security/CVE-2…	external
https://access.redhat.com/security/cve/CVE-2026-6478	self
https://bugzilla.redhat.com/show_bug.cgi?id=2477447	external
https://www.cve.org/CVERecord?id=CVE-2026-6478	external
https://nvd.nist.gov/vuln/detail/CVE-2026-6478	external
https://www.postgresql.org/support/security/CVE-2…	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An update for Red Hat Hardened Images RPMs is now available.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "This update includes the following RPMs:\n\npostgresql17:\n  * postgresql17-17.10-0.1.hum1 (aarch64, x86_64)\n  * postgresql17-contrib-17.10-0.1.hum1 (aarch64, x86_64)\n  * postgresql17-docs-17.10-0.1.hum1 (aarch64, x86_64)\n  * postgresql17-plperl-17.10-0.1.hum1 (aarch64, x86_64)\n  * postgresql17-plpython3-17.10-0.1.hum1 (aarch64, x86_64)\n  * postgresql17-pltcl-17.10-0.1.hum1 (aarch64, x86_64)\n  * postgresql17-private-devel-17.10-0.1.hum1 (aarch64, x86_64)\n  * postgresql17-private-libs-17.10-0.1.hum1 (aarch64, x86_64)\n  * postgresql17-server-17.10-0.1.hum1 (aarch64, x86_64)\n  * postgresql17-server-devel-17.10-0.1.hum1 (aarch64, x86_64)\n  * postgresql17-static-17.10-0.1.hum1 (aarch64, x86_64)\n  * postgresql17-test-17.10-0.1.hum1 (aarch64, x86_64)\n  * postgresql17-test-rpm-macros-17.10-0.1.hum1 (noarch)\n  * postgresql17-upgrade-17.10-0.1.hum1 (aarch64, x86_64)\n  * postgresql17-upgrade-devel-17.10-0.1.hum1 (aarch64, x86_64)\n  * postgresql17-17.10-0.1.hum1.src (src)",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2026:21182",
        "url": "https://access.redhat.com/errata/RHSA-2026:21182"
      },
      {
        "category": "external",
        "summary": "https://images.redhat.com/",
        "url": "https://images.redhat.com/"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-6478",
        "url": "https://access.redhat.com/security/cve/CVE-2026-6478"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/",
        "url": "https://access.redhat.com/security/updates/classification/"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-6477",
        "url": "https://access.redhat.com/security/cve/CVE-2026-6477"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-6475",
        "url": "https://access.redhat.com/security/cve/CVE-2026-6475"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_21182.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat Hardened Images RPMs bug fix and enhancement update",
    "tracking": {
      "current_release_date": "2026-06-04T04:35:59+00:00",
      "generator": {
        "date": "2026-06-04T04:35:59+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.8.1"
        }
      },
      "id": "RHSA-2026:21182",
      "initial_release_date": "2026-05-26T23:31:06+00:00",
      "revision_history": [
        {
          "date": "2026-05-26T23:31:06+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2026-06-03T20:46:15+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2026-06-04T04:35:59+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Hardened Images",
                "product": {
                  "name": "Red Hat Hardened Images",
                  "product_id": "Red Hat Hardened Images",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:hummingbird:1"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Hardened Images"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "postgresql17-main@aarch64",
                "product": {
                  "name": "postgresql17-main@aarch64",
                  "product_id": "postgresql17-main@aarch64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/postgresql17@17.10-0.1.hum1?arch=aarch64\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-aarch64-rpms"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "postgresql17-main@src",
                "product": {
                  "name": "postgresql17-main@src",
                  "product_id": "postgresql17-main@src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/postgresql17@17.10-0.1.hum1?arch=src\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-source-rpms"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "src"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "postgresql17-main@x86_64",
                "product": {
                  "name": "postgresql17-main@x86_64",
                  "product_id": "postgresql17-main@x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/postgresql17@17.10-0.1.hum1?arch=x86_64\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-x86_64-rpms"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "postgresql17-main@noarch",
                "product": {
                  "name": "postgresql17-main@noarch",
                  "product_id": "postgresql17-main@noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/postgresql17-test-rpm-macros@17.10-0.1.hum1?arch=noarch\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-x86_64-rpms"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "postgresql17-main@aarch64 as a component of Red Hat Hardened Images",
          "product_id": "Red Hat Hardened Images:postgresql17-main@aarch64"
        },
        "product_reference": "postgresql17-main@aarch64",
        "relates_to_product_reference": "Red Hat Hardened Images"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "postgresql17-main@noarch as a component of Red Hat Hardened Images",
          "product_id": "Red Hat Hardened Images:postgresql17-main@noarch"
        },
        "product_reference": "postgresql17-main@noarch",
        "relates_to_product_reference": "Red Hat Hardened Images"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "postgresql17-main@src as a component of Red Hat Hardened Images",
          "product_id": "Red Hat Hardened Images:postgresql17-main@src"
        },
        "product_reference": "postgresql17-main@src",
        "relates_to_product_reference": "Red Hat Hardened Images"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "postgresql17-main@x86_64 as a component of Red Hat Hardened Images",
          "product_id": "Red Hat Hardened Images:postgresql17-main@x86_64"
        },
        "product_reference": "postgresql17-main@x86_64",
        "relates_to_product_reference": "Red Hat Hardened Images"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-6475",
      "cwe": {
        "id": "CWE-59",
        "name": "Improper Link Resolution Before File Access (\u0027Link Following\u0027)"
      },
      "discovery_date": "2026-05-14T14:01:20.040061+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2477439"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in PostgreSQL. This vulnerability, related to symlink following in pg_basebackup (plain format) and pg_rewind, allows an origin superuser to overwrite local files. By exploiting this, an attacker could potentially hijack the operating system account. This attack has practical implications if specific actions are taken, such as moving files to a different virtual machine (VM) or snapshotting the VM, between the execution of these commands and the server\u0027s restart.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "postgresql: PostgreSQL: Operating system account hijack via symlink following in pg_basebackup and pg_rewind",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This MODERATE symlink following vulnerability in PostgreSQL\u0027s pg_basebackup and pg_rewind allows an origin superuser to overwrite local files. Exploitation requires local access, high privileges (superuser), and specific intermediate actions before server restart. Impact is high to confidentiality, integrity, and availability if exploited. Affects versions before 18.4, 17.10, 16.14, 15.18, and 14.23.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Hardened Images:postgresql17-main@aarch64",
          "Red Hat Hardened Images:postgresql17-main@noarch",
          "Red Hat Hardened Images:postgresql17-main@src",
          "Red Hat Hardened Images:postgresql17-main@x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-6475"
        },
        {
          "category": "external",
          "summary": "RHBZ#2477439",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2477439"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-6475",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-6475"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-6475",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6475"
        },
        {
          "category": "external",
          "summary": "https://www.postgresql.org/support/security/CVE-2026-6475/",
          "url": "https://www.postgresql.org/support/security/CVE-2026-6475/"
        }
      ],
      "release_date": "2026-05-14T13:00:11.039000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-05-26T23:31:06+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
          "product_ids": [
            "Red Hat Hardened Images:postgresql17-main@aarch64",
            "Red Hat Hardened Images:postgresql17-main@noarch",
            "Red Hat Hardened Images:postgresql17-main@src",
            "Red Hat Hardened Images:postgresql17-main@x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:21182"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 6.7,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Hardened Images:postgresql17-main@aarch64",
            "Red Hat Hardened Images:postgresql17-main@noarch",
            "Red Hat Hardened Images:postgresql17-main@src",
            "Red Hat Hardened Images:postgresql17-main@x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "postgresql: PostgreSQL: Operating system account hijack via symlink following in pg_basebackup and pg_rewind"
    },
    {
      "cve": "CVE-2026-6477",
      "cwe": {
        "id": "CWE-120",
        "name": "Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)"
      },
      "discovery_date": "2026-05-14T14:01:31.087667+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2477442"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in PostgreSQL libpq. A server superuser can exploit a buffer overflow vulnerability in the PQfn function, which is used by client functions such as lo_export(), lo_read(), lo_lseek64(), and lo_tell64(). This allows the superuser to send an arbitrarily large response, overwriting the client\u0027s stack memory, specifically in tools like psql and pg_dump. This could lead to arbitrary code execution on the client system.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "postgresql: PostgreSQL libpq: Buffer overflow allows server superuser to overwrite client stack memory",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This IMPORTANT buffer overflow in PostgreSQL libpq allows a malicious server superuser to overwrite client stack memory via lo_* functions. Exploitation requires the victim to connect to a compromised or malicious server (UI:R). The scope is changed as the server attack affects the client system. Impact is high to confidentiality, integrity, and availability through potential client-side code execution. Affects versions before 18.4, 17.10, 16.14, 15.18, and 14.23.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Hardened Images:postgresql17-main@aarch64",
          "Red Hat Hardened Images:postgresql17-main@noarch",
          "Red Hat Hardened Images:postgresql17-main@src",
          "Red Hat Hardened Images:postgresql17-main@x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-6477"
        },
        {
          "category": "external",
          "summary": "RHBZ#2477442",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2477442"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-6477",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-6477"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-6477",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6477"
        },
        {
          "category": "external",
          "summary": "https://www.postgresql.org/support/security/CVE-2026-6477/",
          "url": "https://www.postgresql.org/support/security/CVE-2026-6477/"
        }
      ],
      "release_date": "2026-05-14T13:00:12.497000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-05-26T23:31:06+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
          "product_ids": [
            "Red Hat Hardened Images:postgresql17-main@aarch64",
            "Red Hat Hardened Images:postgresql17-main@noarch",
            "Red Hat Hardened Images:postgresql17-main@src",
            "Red Hat Hardened Images:postgresql17-main@x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:21182"
        },
        {
          "category": "workaround",
          "details": "Only connect to trusted PostgreSQL servers. Avoid using psql or pg_dump against untrusted or potentially compromised database servers.",
          "product_ids": [
            "Red Hat Hardened Images:postgresql17-main@aarch64",
            "Red Hat Hardened Images:postgresql17-main@noarch",
            "Red Hat Hardened Images:postgresql17-main@src",
            "Red Hat Hardened Images:postgresql17-main@x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.4,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Hardened Images:postgresql17-main@aarch64",
            "Red Hat Hardened Images:postgresql17-main@noarch",
            "Red Hat Hardened Images:postgresql17-main@src",
            "Red Hat Hardened Images:postgresql17-main@x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "postgresql: PostgreSQL libpq: Buffer overflow allows server superuser to overwrite client stack memory"
    },
    {
      "cve": "CVE-2026-6478",
      "cwe": {
        "id": "CWE-385",
        "name": "Covert Timing Channel"
      },
      "discovery_date": "2026-05-14T14:01:45.568001+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2477447"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in PostgreSQL. This vulnerability, a covert timing channel, exists in the comparison of MD5-hashed passwords during authentication. A remote attacker could exploit this to recover user credentials, gaining unauthorized access to the database. This issue specifically impacts databases that retain MD5-hashed passwords from upgrades of PostgreSQL 13 or earlier.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "postgresql: PostgreSQL: Credential recovery via covert timing channel in MD5 password comparison",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Hardened Images:postgresql17-main@aarch64",
          "Red Hat Hardened Images:postgresql17-main@noarch",
          "Red Hat Hardened Images:postgresql17-main@src",
          "Red Hat Hardened Images:postgresql17-main@x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-6478"
        },
        {
          "category": "external",
          "summary": "RHBZ#2477447",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2477447"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-6478",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-6478"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-6478",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6478"
        },
        {
          "category": "external",
          "summary": "https://www.postgresql.org/support/security/CVE-2026-6478/",
          "url": "https://www.postgresql.org/support/security/CVE-2026-6478/"
        }
      ],
      "release_date": "2026-05-14T13:00:13.174000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-05-26T23:31:06+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
          "product_ids": [
            "Red Hat Hardened Images:postgresql17-main@aarch64",
            "Red Hat Hardened Images:postgresql17-main@noarch",
            "Red Hat Hardened Images:postgresql17-main@src",
            "Red Hat Hardened Images:postgresql17-main@x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:21182"
        },
        {
          "category": "workaround",
          "details": "To mitigate this vulnerability, ensure that all PostgreSQL user passwords are not hashed using MD5. Users should migrate to stronger hashing algorithms such as `scram-sha-256`. This can be achieved by altering user passwords, which will automatically update their hash to the currently configured default. For example, to change a user\u0027s password: `ALTER USER username WITH PASSWORD \u0027new_password\u0027;` This action will require users to re-authenticate. If a service relies on these credentials, it may require a restart to pick up the new authentication details.",
          "product_ids": [
            "Red Hat Hardened Images:postgresql17-main@aarch64",
            "Red Hat Hardened Images:postgresql17-main@noarch",
            "Red Hat Hardened Images:postgresql17-main@src",
            "Red Hat Hardened Images:postgresql17-main@x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat Hardened Images:postgresql17-main@aarch64",
            "Red Hat Hardened Images:postgresql17-main@noarch",
            "Red Hat Hardened Images:postgresql17-main@src",
            "Red Hat Hardened Images:postgresql17-main@x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "postgresql: PostgreSQL: Credential recovery via covert timing channel in MD5 password comparison"
    }
  ]
}

CVE-2026-6475 (GCVE-0-2026-6475)

Vulnerability from cvelistv5 – Published: 2026-05-14 13:00 – Updated: 2026-05-15 03:56

Title

PostgreSQL pg_basebackup and pg_rewind can overwrite unrelated files of origin superuser choice

Summary

Symlink following in PostgreSQL pg_basebackup plain format and in pg_rewind allows an origin superuser to overwrite local files, e.g. /var/lib/postgres/.bashrc, that hijack the operating system account. It will remain the case that starting the server after these commands implicitly trusts the origin superuser, due to features like shared_preload_libraries. Hence, the attack has practical implications only if one takes relevant action between these commands and server start, like moving the files to a different VM or snapshotting the VM. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

Severity

8.8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

SSVC

Exploitation: none Automatable: no Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-61 - UNIX Symbolic Link (Symlink) Following

Assigner

PostgreSQL

References

1 reference

URL	Tags
https://www.postgresql.org/support/security/CVE-2…

Impacted products

1 product

Vendor	Product	Version
n/a	PostgreSQL	Affected: 18 , < 18.4 (rpm) Affected: 17 , < 17.10 (rpm) Affected: 16 , < 16.14 (rpm) Affected: 15 , < 15.18 (rpm) Affected: 0 , < 14.23 (rpm)

Credits

The PostgreSQL project thanks Valery Gubanov, XlabAI Team of Tencent Xuanwu Lab, Atuin Automated Vulnerability Discovery Engine, Zhanpeng Liu (pkugenuine(at)gmail(dot)com), Guannan Wang (wgnbuaa(at)gmail(dot)com), and Guancheng Li (lgcpku(at)gmail(dot)com) for reporting this problem.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-6475",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-14T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-15T03:56:16.367Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "PostgreSQL",
          "vendor": "n/a",
          "versions": [
            {
              "lessThan": "18.4",
              "status": "affected",
              "version": "18",
              "versionType": "rpm"
            },
            {
              "lessThan": "17.10",
              "status": "affected",
              "version": "17",
              "versionType": "rpm"
            },
            {
              "lessThan": "16.14",
              "status": "affected",
              "version": "16",
              "versionType": "rpm"
            },
            {
              "lessThan": "15.18",
              "status": "affected",
              "version": "15",
              "versionType": "rpm"
            },
            {
              "lessThan": "14.23",
              "status": "affected",
              "version": "0",
              "versionType": "rpm"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "The PostgreSQL project thanks Valery Gubanov, XlabAI Team of Tencent Xuanwu Lab, Atuin Automated Vulnerability Discovery Engine, Zhanpeng Liu (pkugenuine(at)gmail(dot)com), Guannan Wang (wgnbuaa(at)gmail(dot)com), and Guancheng Li (lgcpku(at)gmail(dot)com) for reporting this problem."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Symlink following in PostgreSQL pg_basebackup plain format and in pg_rewind allows an origin superuser to overwrite local files, e.g. /var/lib/postgres/.bashrc, that hijack the operating system account.  It will remain the case that starting the server after these commands implicitly trusts the origin superuser, due to features like shared_preload_libraries.  Hence, the attack has practical implications only if one takes relevant action between these commands and server start, like moving the files to a different VM or snapshotting the VM.  Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-61",
              "description": "UNIX Symbolic Link (Symlink) Following",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-14T13:00:11.039Z",
        "orgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007",
        "shortName": "PostgreSQL"
      },
      "references": [
        {
          "url": "https://www.postgresql.org/support/security/CVE-2026-6475/"
        }
      ],
      "title": "PostgreSQL pg_basebackup and pg_rewind can overwrite unrelated files of origin superuser choice"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007",
    "assignerShortName": "PostgreSQL",
    "cveId": "CVE-2026-6475",
    "datePublished": "2026-05-14T13:00:11.039Z",
    "dateReserved": "2026-04-17T00:43:21.782Z",
    "dateUpdated": "2026-05-15T03:56:16.367Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-6477 (GCVE-0-2026-6477)

Vulnerability from cvelistv5 – Published: 2026-05-14 13:00 – Updated: 2026-05-15 03:56

Title

PostgreSQL libpq lo_* functions let server superuser overwrite client stack memory

Summary

Use of inherently dangerous function PQfn(..., result_is_int=0, ...) in PostgreSQL libpq lo_export(), lo_read(), lo_lseek64(), and lo_tell64() functions allows the server superuser to overwrite a client stack buffer with an arbitrarily-large response. Like gets(), PQfn(..., result_is_int=0, ...) stores arbitrary-length, server-determined data into a buffer of unspecified size. Because both the \lo_export command in psql and pg_dump call lo_read(), the server superuser can overwrite pg_dump or psql stack memory. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

Severity

8.8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

SSVC

Exploitation: none Automatable: no Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-242 - Use of Inherently Dangerous Function

Assigner

PostgreSQL

References

1 reference

URL	Tags
https://www.postgresql.org/support/security/CVE-2…

Impacted products

1 product

Vendor	Product	Version
n/a	PostgreSQL	Affected: 18 , < 18.4 (rpm) Affected: 17 , < 17.10 (rpm) Affected: 16 , < 16.14 (rpm) Affected: 15 , < 15.18 (rpm) Affected: 0 , < 14.23 (rpm)

Credits

The PostgreSQL project thanks Yu Kunpeng and Martin Heistermann for reporting this problem.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-6477",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-14T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-15T03:56:18.668Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "PostgreSQL",
          "vendor": "n/a",
          "versions": [
            {
              "lessThan": "18.4",
              "status": "affected",
              "version": "18",
              "versionType": "rpm"
            },
            {
              "lessThan": "17.10",
              "status": "affected",
              "version": "17",
              "versionType": "rpm"
            },
            {
              "lessThan": "16.14",
              "status": "affected",
              "version": "16",
              "versionType": "rpm"
            },
            {
              "lessThan": "15.18",
              "status": "affected",
              "version": "15",
              "versionType": "rpm"
            },
            {
              "lessThan": "14.23",
              "status": "affected",
              "version": "0",
              "versionType": "rpm"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "The PostgreSQL project thanks Yu Kunpeng and Martin Heistermann for reporting this problem."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Use of inherently dangerous function PQfn(..., result_is_int=0, ...) in PostgreSQL libpq lo_export(), lo_read(), lo_lseek64(), and lo_tell64() functions allows the server superuser to overwrite a client stack buffer with an arbitrarily-large response.  Like gets(), PQfn(..., result_is_int=0, ...) stores arbitrary-length, server-determined data into a buffer of unspecified size.  Because both the \\lo_export command in psql and pg_dump call lo_read(), the server superuser can overwrite pg_dump or psql stack memory.  Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-242",
              "description": "Use of Inherently Dangerous Function",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-14T13:00:12.497Z",
        "orgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007",
        "shortName": "PostgreSQL"
      },
      "references": [
        {
          "url": "https://www.postgresql.org/support/security/CVE-2026-6477/"
        }
      ],
      "title": "PostgreSQL libpq lo_* functions let server superuser overwrite client stack memory",
      "workarounds": [
        {
          "lang": "en",
          "value": "use PQexecPrepared(), not PQfn(..., result_is_int=0, ...) or its lo_* wrappers"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007",
    "assignerShortName": "PostgreSQL",
    "cveId": "CVE-2026-6477",
    "datePublished": "2026-05-14T13:00:12.497Z",
    "dateReserved": "2026-04-17T00:44:19.965Z",
    "dateUpdated": "2026-05-15T03:56:18.668Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-6478 (GCVE-0-2026-6478)

Vulnerability from cvelistv5 – Published: 2026-05-14 13:00 – Updated: 2026-05-14 15:33

Title

PostgreSQL discloses MD5-hashed passwords via covert timing channel

Summary

Covert timing channel in comparison of MD5-hashed password in PostgreSQL authentication allows an attacker to recover user credentials sufficient to authenticate. This does not affect scram-sha-256 passwords, the default in all supported releases. However, current databases may have MD5-hashed passwords originating in upgrades from PostgreSQL 13 or earlier. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

Severity

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

SSVC

Exploitation: none Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-385 - Covert Timing Channel

Assigner

PostgreSQL

References

1 reference

URL	Tags
https://www.postgresql.org/support/security/CVE-2…

Impacted products

1 product

Vendor	Product	Version
n/a	PostgreSQL	Affected: 18 , < 18.4 (rpm) Affected: 17 , < 17.10 (rpm) Affected: 16 , < 16.14 (rpm) Affected: 15 , < 15.18 (rpm) Affected: 0 , < 14.23 (rpm)

Credits

The PostgreSQL project thanks Joe Conway for reporting this problem.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-6478",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-14T15:32:42.868340Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-14T15:33:03.332Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "PostgreSQL",
          "vendor": "n/a",
          "versions": [
            {
              "lessThan": "18.4",
              "status": "affected",
              "version": "18",
              "versionType": "rpm"
            },
            {
              "lessThan": "17.10",
              "status": "affected",
              "version": "17",
              "versionType": "rpm"
            },
            {
              "lessThan": "16.14",
              "status": "affected",
              "version": "16",
              "versionType": "rpm"
            },
            {
              "lessThan": "15.18",
              "status": "affected",
              "version": "15",
              "versionType": "rpm"
            },
            {
              "lessThan": "14.23",
              "status": "affected",
              "version": "0",
              "versionType": "rpm"
            }
          ]
        }
      ],
      "configurations": [
        {
          "lang": "en",
          "value": "victim user has a usable MD5 password"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "The PostgreSQL project thanks Joe Conway for reporting this problem."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Covert timing channel in comparison of MD5-hashed password in PostgreSQL authentication allows an attacker to recover user credentials sufficient to authenticate.  This does not affect scram-sha-256 passwords, the default in all supported releases.  However, current databases may have MD5-hashed passwords originating in upgrades from PostgreSQL 13 or earlier.  Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-385",
              "description": "Covert Timing Channel",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-14T13:00:13.174Z",
        "orgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007",
        "shortName": "PostgreSQL"
      },
      "references": [
        {
          "url": "https://www.postgresql.org/support/security/CVE-2026-6478/"
        }
      ],
      "title": "PostgreSQL discloses MD5-hashed passwords via covert timing channel",
      "workarounds": [
        {
          "lang": "en",
          "value": "reset password with password_encryption=scram-sha-256"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007",
    "assignerShortName": "PostgreSQL",
    "cveId": "CVE-2026-6478",
    "datePublished": "2026-05-14T13:00:13.174Z",
    "dateReserved": "2026-04-17T00:44:57.549Z",
    "dateUpdated": "2026-05-14T15:33:03.332Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

RHSA-2026:21182

CVE-2026-6475 (GCVE-0-2026-6475)

CVE-2026-6477 (GCVE-0-2026-6477)

CVE-2026-6478 (GCVE-0-2026-6478)

Tags

Sightings

Nomenclature