Vulnerability-Lookup

WID-SEC-W-2026-1544

Vulnerability from csaf_certbund - Published: 2026-05-14 22:00 - Updated: 2026-06-16 22:00

Summary

PostgreSQL: Mehrere Schwachstellen

Severity

Hoch

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung: PostgreSQL ist eine frei verfügbare Datenbank für unterschiedliche Betriebssysteme.

Angriff: Ein Angreifer kann mehrere Schwachstellen in PostgreSQL ausnutzen, um beliebigen Programmcode auszuführen, um einen Denial of Service Angriff durchzuführen, um Informationen offenzulegen, um Dateien zu manipulieren, um einen SQL-Injection Angriff durchzuführen, und um Sicherheitsvorkehrungen zu umgehen.

Betroffene Betriebssysteme: - Linux - MacOS X - UNIX - Windows

CVE-2026-6472

Affected products

Known affected 13 products

Product	Identifier	Version
Open Source PostgreSQL <16.14 Open Source / PostgreSQL		<16.14
Open Source PostgreSQL <17.10 Open Source / PostgreSQL		<17.10
IBM QRadar SIEM <7.5.0 UP15 IF04 IBM / QRadar SIEM		<7.5.0 UP15 IF04
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
RESF Rocky Linux RESF	`cpe:/o:resf:rocky_linux:-`	—
Open Source PostgreSQL <14.23 Open Source / PostgreSQL		<14.23
Open Source PostgreSQL <15.18 Open Source / PostgreSQL		<15.18
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
Open Source PostgreSQL <18.4 Open Source / PostgreSQL		<18.4
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—

CVE-2026-6473

Affected products

Known affected 13 products

Product	Identifier	Version
Open Source PostgreSQL <16.14 Open Source / PostgreSQL		<16.14
Open Source PostgreSQL <17.10 Open Source / PostgreSQL		<17.10
IBM QRadar SIEM <7.5.0 UP15 IF04 IBM / QRadar SIEM		<7.5.0 UP15 IF04
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
RESF Rocky Linux RESF	`cpe:/o:resf:rocky_linux:-`	—
Open Source PostgreSQL <14.23 Open Source / PostgreSQL		<14.23
Open Source PostgreSQL <15.18 Open Source / PostgreSQL		<15.18
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
Open Source PostgreSQL <18.4 Open Source / PostgreSQL		<18.4
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—

CVE-2026-6474

Affected products

Known affected 13 products

Product	Identifier	Version
Open Source PostgreSQL <16.14 Open Source / PostgreSQL		<16.14
Open Source PostgreSQL <17.10 Open Source / PostgreSQL		<17.10
IBM QRadar SIEM <7.5.0 UP15 IF04 IBM / QRadar SIEM		<7.5.0 UP15 IF04
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
RESF Rocky Linux RESF	`cpe:/o:resf:rocky_linux:-`	—
Open Source PostgreSQL <14.23 Open Source / PostgreSQL		<14.23
Open Source PostgreSQL <15.18 Open Source / PostgreSQL		<15.18
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
Open Source PostgreSQL <18.4 Open Source / PostgreSQL		<18.4
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—

CVE-2026-6475

Affected products

Known affected 13 products

Product	Identifier	Version
Open Source PostgreSQL <16.14 Open Source / PostgreSQL		<16.14
Open Source PostgreSQL <17.10 Open Source / PostgreSQL		<17.10
IBM QRadar SIEM <7.5.0 UP15 IF04 IBM / QRadar SIEM		<7.5.0 UP15 IF04
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
RESF Rocky Linux RESF	`cpe:/o:resf:rocky_linux:-`	—
Open Source PostgreSQL <14.23 Open Source / PostgreSQL		<14.23
Open Source PostgreSQL <15.18 Open Source / PostgreSQL		<15.18
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
Open Source PostgreSQL <18.4 Open Source / PostgreSQL		<18.4
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—

CVE-2026-6476

Affected products

Known affected 13 products

Product	Identifier	Version
Open Source PostgreSQL <16.14 Open Source / PostgreSQL		<16.14
Open Source PostgreSQL <17.10 Open Source / PostgreSQL		<17.10
IBM QRadar SIEM <7.5.0 UP15 IF04 IBM / QRadar SIEM		<7.5.0 UP15 IF04
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
RESF Rocky Linux RESF	`cpe:/o:resf:rocky_linux:-`	—
Open Source PostgreSQL <14.23 Open Source / PostgreSQL		<14.23
Open Source PostgreSQL <15.18 Open Source / PostgreSQL		<15.18
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
Open Source PostgreSQL <18.4 Open Source / PostgreSQL		<18.4
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—

CVE-2026-6477

Affected products

Known affected 13 products

Product	Identifier	Version
Open Source PostgreSQL <16.14 Open Source / PostgreSQL		<16.14
Open Source PostgreSQL <17.10 Open Source / PostgreSQL		<17.10
IBM QRadar SIEM <7.5.0 UP15 IF04 IBM / QRadar SIEM		<7.5.0 UP15 IF04
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
RESF Rocky Linux RESF	`cpe:/o:resf:rocky_linux:-`	—
Open Source PostgreSQL <14.23 Open Source / PostgreSQL		<14.23
Open Source PostgreSQL <15.18 Open Source / PostgreSQL		<15.18
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
Open Source PostgreSQL <18.4 Open Source / PostgreSQL		<18.4
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—

CVE-2026-6478

Affected products

Known affected 13 products

Product	Identifier	Version
Open Source PostgreSQL <16.14 Open Source / PostgreSQL		<16.14
Open Source PostgreSQL <17.10 Open Source / PostgreSQL		<17.10
IBM QRadar SIEM <7.5.0 UP15 IF04 IBM / QRadar SIEM		<7.5.0 UP15 IF04
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
RESF Rocky Linux RESF	`cpe:/o:resf:rocky_linux:-`	—
Open Source PostgreSQL <14.23 Open Source / PostgreSQL		<14.23
Open Source PostgreSQL <15.18 Open Source / PostgreSQL		<15.18
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
Open Source PostgreSQL <18.4 Open Source / PostgreSQL		<18.4
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—

CVE-2026-6479

Affected products

Known affected 13 products

Product	Identifier	Version
Open Source PostgreSQL <16.14 Open Source / PostgreSQL		<16.14
Open Source PostgreSQL <17.10 Open Source / PostgreSQL		<17.10
IBM QRadar SIEM <7.5.0 UP15 IF04 IBM / QRadar SIEM		<7.5.0 UP15 IF04
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
RESF Rocky Linux RESF	`cpe:/o:resf:rocky_linux:-`	—
Open Source PostgreSQL <14.23 Open Source / PostgreSQL		<14.23
Open Source PostgreSQL <15.18 Open Source / PostgreSQL		<15.18
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
Open Source PostgreSQL <18.4 Open Source / PostgreSQL		<18.4
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—

CVE-2026-6575

Affected products

Known affected 13 products

Product	Identifier	Version
Open Source PostgreSQL <16.14 Open Source / PostgreSQL		<16.14
Open Source PostgreSQL <17.10 Open Source / PostgreSQL		<17.10
IBM QRadar SIEM <7.5.0 UP15 IF04 IBM / QRadar SIEM		<7.5.0 UP15 IF04
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
RESF Rocky Linux RESF	`cpe:/o:resf:rocky_linux:-`	—
Open Source PostgreSQL <14.23 Open Source / PostgreSQL		<14.23
Open Source PostgreSQL <15.18 Open Source / PostgreSQL		<15.18
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
Open Source PostgreSQL <18.4 Open Source / PostgreSQL		<18.4
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—

CVE-2026-6637

Affected products

Known affected 13 products

Product	Identifier	Version
Open Source PostgreSQL <16.14 Open Source / PostgreSQL		<16.14
Open Source PostgreSQL <17.10 Open Source / PostgreSQL		<17.10
IBM QRadar SIEM <7.5.0 UP15 IF04 IBM / QRadar SIEM		<7.5.0 UP15 IF04
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
RESF Rocky Linux RESF	`cpe:/o:resf:rocky_linux:-`	—
Open Source PostgreSQL <14.23 Open Source / PostgreSQL		<14.23
Open Source PostgreSQL <15.18 Open Source / PostgreSQL		<15.18
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
Open Source PostgreSQL <18.4 Open Source / PostgreSQL		<18.4
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—

CVE-2026-6638

Affected products

Known affected 13 products

Product	Identifier	Version
Open Source PostgreSQL <16.14 Open Source / PostgreSQL		<16.14
Open Source PostgreSQL <17.10 Open Source / PostgreSQL		<17.10
IBM QRadar SIEM <7.5.0 UP15 IF04 IBM / QRadar SIEM		<7.5.0 UP15 IF04
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
RESF Rocky Linux RESF	`cpe:/o:resf:rocky_linux:-`	—
Open Source PostgreSQL <14.23 Open Source / PostgreSQL		<14.23
Open Source PostgreSQL <15.18 Open Source / PostgreSQL		<15.18
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
Open Source PostgreSQL <18.4 Open Source / PostgreSQL		<18.4
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—

References

48 references

URL	Category
https://wid.cert-bund.de/.well-known/csaf/white/2…	self
https://wid.cert-bund.de/portal/wid/securityadvis…	self
https://www.postgresql.org/about/news/postgresql-…	external
https://www.postgresql.org/support/security/CVE-2…	external
https://www.postgresql.org/support/security/CVE-2…	external
https://www.postgresql.org/support/security/CVE-2…	external
https://www.postgresql.org/support/security/CVE-2…	external
https://www.postgresql.org/support/security/CVE-2…	external
https://www.postgresql.org/support/security/CVE-2…	external
https://www.postgresql.org/support/security/CVE-2…	external
https://www.postgresql.org/support/security/CVE-2…	external
https://www.postgresql.org/support/security/CVE-2…	external
https://www.postgresql.org/support/security/CVE-2…	external
https://www.postgresql.org/support/security/CVE-2…	external
https://lists.debian.org/debian-security-announce…	external
https://lists.debian.org/debian-security-announce…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://lists.opensuse.org/archives/list/security…	external
https://lists.opensuse.org/archives/list/security…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://ubuntu.com/security/notices/USN-8294-1	external
https://lists.opensuse.org/archives/list/security…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://access.redhat.com/errata/RHSA-2026:21182	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://access.redhat.com/errata/RHSA-2026:22878	external
https://lists.opensuse.org/archives/list/security…	external
https://alas.aws.amazon.com/AL2/ALAS2-2026-3344.html	external
https://alas.aws.amazon.com/AL2/ALAS2POSTGRESQL14…	external
https://alas.aws.amazon.com/AL2/ALAS2POSTGRESQL14…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://errata.build.resf.org/RLSA-2026:26181	external
https://errata.build.resf.org/RLSA-2026:26203	external
https://errata.build.resf.org/RLSA-2026:26204	external
https://access.redhat.com/errata/RHSA-2026:26524	external
https://access.redhat.com/errata/RHSA-2026:26203	external
https://www.ibm.com/support/pages/node/7276589	external
https://access.redhat.com/errata/RHSA-2026:26525	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "PostgreSQL ist eine frei verf\u00fcgbare Datenbank f\u00fcr unterschiedliche Betriebssysteme.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein Angreifer kann mehrere Schwachstellen in PostgreSQL ausnutzen, um beliebigen Programmcode auszuf\u00fchren, um einen Denial of Service Angriff durchzuf\u00fchren, um Informationen offenzulegen, um Dateien zu manipulieren, um einen SQL-Injection Angriff durchzuf\u00fchren, und um Sicherheitsvorkehrungen zu umgehen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux\n- MacOS X\n- UNIX\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2026-1544 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-1544.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2026-1544 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1544"
      },
      {
        "category": "external",
        "summary": "PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 Released! vom 2026-05-14",
        "url": "https://www.postgresql.org/about/news/postgresql-184-1710-1614-1518-and-1423-released-3297/"
      },
      {
        "category": "external",
        "summary": "PostgreSQL Security Advisory CVE-2026-6472 vom 2026-05-14",
        "url": "https://www.postgresql.org/support/security/CVE-2026-6472/"
      },
      {
        "category": "external",
        "summary": "PostgreSQL Security Advisory CVE-2026-6473 vom 2026-05-14",
        "url": "https://www.postgresql.org/support/security/CVE-2026-6473/"
      },
      {
        "category": "external",
        "summary": "PostgreSQL Security Advisory CVE-2026-6474 vom 2026-05-14",
        "url": "https://www.postgresql.org/support/security/CVE-2026-6474/"
      },
      {
        "category": "external",
        "summary": "PostgreSQL Security Advisory CVE-2026-6475 vom 2026-05-14",
        "url": "https://www.postgresql.org/support/security/CVE-2026-6475/"
      },
      {
        "category": "external",
        "summary": "PostgreSQL Security Advisory CVE-2026-6476 vom 2026-05-14",
        "url": "https://www.postgresql.org/support/security/CVE-2026-6476/"
      },
      {
        "category": "external",
        "summary": "PostgreSQL Security Advisory CVE-2026-6477 vom 2026-05-14",
        "url": "https://www.postgresql.org/support/security/CVE-2026-6477/"
      },
      {
        "category": "external",
        "summary": "PostgreSQL Security Advisory CVE-2026-6478 vom 2026-05-14",
        "url": "https://www.postgresql.org/support/security/CVE-2026-6478/"
      },
      {
        "category": "external",
        "summary": "PostgreSQL Security Advisory CVE-2026-6479 vom 2026-05-14",
        "url": "https://www.postgresql.org/support/security/CVE-2026-6479/"
      },
      {
        "category": "external",
        "summary": "PostgreSQL Security Advisory CVE-2026-6575 vom 2026-05-14",
        "url": "https://www.postgresql.org/support/security/CVE-2026-6575/"
      },
      {
        "category": "external",
        "summary": "PostgreSQL Security Advisory CVE-2026-6637 vom 2026-05-14",
        "url": "https://www.postgresql.org/support/security/CVE-2026-6637/"
      },
      {
        "category": "external",
        "summary": "PostgreSQL Security Advisory CVE-2026-6638 vom 2026-05-14",
        "url": "https://www.postgresql.org/support/security/CVE-2026-6638/"
      },
      {
        "category": "external",
        "summary": "Debian Security Advisory DSA-6270 vom 2026-05-14",
        "url": "https://lists.debian.org/debian-security-announce/2026/msg00181.html"
      },
      {
        "category": "external",
        "summary": "Debian Security Advisory DSA-6269 vom 2026-05-14",
        "url": "https://lists.debian.org/debian-security-announce/2026/msg00180.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:1945-1 vom 2026-05-18",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-May/026110.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:1942-1 vom 2026-05-18",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-May/026113.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:1943-1 vom 2026-05-18",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-May/026112.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:1944-1 vom 2026-05-18",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-May/026111.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:1946-1 vom 2026-05-18",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-May/026109.html"
      },
      {
        "category": "external",
        "summary": "openSUSE Security Update OPENSUSE-SU-2026:10806-1 vom 2026-05-19",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/6YSTLJLCOHBA5K6KCIY47SN3JXTACGJL/"
      },
      {
        "category": "external",
        "summary": "openSUSE Security Update OPENSUSE-SU-2026:10808-1 vom 2026-05-19",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/GQYHZFIKPKIZ7MMEAQ5QEBKP4ZEPVM6O/"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:2000-1 vom 2026-05-19",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-May/026152.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:1999-1 vom 2026-05-19",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-May/026153.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:2001-1 vom 2026-05-19",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-May/026151.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:2007-1 vom 2026-05-19",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-May/026146.html"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-8294-1 vom 2026-05-21",
        "url": "https://ubuntu.com/security/notices/USN-8294-1"
      },
      {
        "category": "external",
        "summary": "openSUSE Security Update OPENSUSE-SU-2026:10828-1 vom 2026-05-22",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/RYNAVHGMZLCA7MJQOKRUKYTWYO5QPYBN/"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:2086-1 vom 2026-05-27",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-May/026358.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:2084-1 vom 2026-05-27",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-May/026360.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:2085-1 vom 2026-05-27",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-May/026359.html"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:21182 vom 2026-05-28",
        "url": "https://access.redhat.com/errata/RHSA-2026:21182"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:2117-1 vom 2026-05-29",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-May/026392.html"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:22878 vom 2026-06-03",
        "url": "https://access.redhat.com/errata/RHSA-2026:22878"
      },
      {
        "category": "external",
        "summary": "openSUSE Security Update OPENSUSE-SU-2026:20901-1 vom 2026-06-05",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/E4RJTUOUUH6ZVOY2RAM43VMDKHBNQPKX/"
      },
      {
        "category": "external",
        "summary": "Amazon Linux Security Advisory ALAS2-2026-3344 vom 2026-06-09",
        "url": "https://alas.aws.amazon.com/AL2/ALAS2-2026-3344.html"
      },
      {
        "category": "external",
        "summary": "Amazon Linux Security Advisory ALAS2POSTGRESQL14-2026-023 vom 2026-06-08",
        "url": "https://alas.aws.amazon.com/AL2/ALAS2POSTGRESQL14-2026-023.html"
      },
      {
        "category": "external",
        "summary": "Amazon Linux Security Advisory ALAS2POSTGRESQL14-2026-024 vom 2026-06-08",
        "url": "https://alas.aws.amazon.com/AL2/ALAS2POSTGRESQL14-2026-024.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:2303-1 vom 2026-06-08",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-June/026645.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:22077-1 vom 2026-06-15",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-June/026753.html"
      },
      {
        "category": "external",
        "summary": "Rocky Linux Security Advisory RLSA-2026:26181 vom 2026-06-17",
        "url": "https://errata.build.resf.org/RLSA-2026:26181"
      },
      {
        "category": "external",
        "summary": "Rocky Linux Security Advisory RLSA-2026:26203 vom 2026-06-16",
        "url": "https://errata.build.resf.org/RLSA-2026:26203"
      },
      {
        "category": "external",
        "summary": "Rocky Linux Security Advisory RLSA-2026:26204 vom 2026-06-17",
        "url": "https://errata.build.resf.org/RLSA-2026:26204"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:26524 vom 2026-06-17",
        "url": "https://access.redhat.com/errata/RHSA-2026:26524"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:26203 vom 2026-06-16",
        "url": "https://access.redhat.com/errata/RHSA-2026:26203"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin 7276589 vom 2026-06-16",
        "url": "https://www.ibm.com/support/pages/node/7276589"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:26525 vom 2026-06-17",
        "url": "https://access.redhat.com/errata/RHSA-2026:26525"
      }
    ],
    "source_lang": "en-US",
    "title": "PostgreSQL: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2026-06-16T22:00:00.000+00:00",
      "generator": {
        "date": "2026-06-17T09:55:14.470+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.6.0"
        }
      },
      "id": "WID-SEC-W-2026-1544",
      "initial_release_date": "2026-05-14T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2026-05-14T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2026-05-18T22:00:00.000+00:00",
          "number": "2",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2026-05-19T22:00:00.000+00:00",
          "number": "3",
          "summary": "Neue Updates von openSUSE und SUSE aufgenommen"
        },
        {
          "date": "2026-05-21T22:00:00.000+00:00",
          "number": "4",
          "summary": "Neue Updates von Ubuntu aufgenommen"
        },
        {
          "date": "2026-05-25T22:00:00.000+00:00",
          "number": "5",
          "summary": "Neue Updates von openSUSE aufgenommen"
        },
        {
          "date": "2026-05-27T22:00:00.000+00:00",
          "number": "6",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2026-05-28T22:00:00.000+00:00",
          "number": "7",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2026-05-31T22:00:00.000+00:00",
          "number": "8",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2026-06-04T22:00:00.000+00:00",
          "number": "9",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2026-06-07T22:00:00.000+00:00",
          "number": "10",
          "summary": "Neue Updates von openSUSE aufgenommen"
        },
        {
          "date": "2026-06-08T22:00:00.000+00:00",
          "number": "11",
          "summary": "Neue Updates von Amazon und SUSE aufgenommen"
        },
        {
          "date": "2026-06-14T22:00:00.000+00:00",
          "number": "12",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2026-06-16T22:00:00.000+00:00",
          "number": "13",
          "summary": "Neue Updates von Rocky Enterprise Software Foundation, Red Hat und IBM aufgenommen"
        }
      ],
      "status": "final",
      "version": "13"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Amazon Linux 2",
            "product": {
              "name": "Amazon Linux 2",
              "product_id": "398363",
              "product_identification_helper": {
                "cpe": "cpe:/o:amazon:linux_2:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Amazon"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Debian Linux",
            "product": {
              "name": "Debian Linux",
              "product_id": "2951",
              "product_identification_helper": {
                "cpe": "cpe:/o:debian:debian_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Debian"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c7.5.0 UP15 IF04",
                "product": {
                  "name": "IBM QRadar SIEM \u003c7.5.0 UP15 IF04",
                  "product_id": "T055485"
                }
              },
              {
                "category": "product_version",
                "name": "7.5.0 UP15 IF04",
                "product": {
                  "name": "IBM QRadar SIEM 7.5.0 UP15 IF04",
                  "product_id": "T055485-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:qradar_siem:7.5.0_up15_if04"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "QRadar SIEM"
          }
        ],
        "category": "vendor",
        "name": "IBM"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c18.4",
                "product": {
                  "name": "Open Source PostgreSQL \u003c18.4",
                  "product_id": "T054209"
                }
              },
              {
                "category": "product_version",
                "name": "18.4",
                "product": {
                  "name": "Open Source PostgreSQL 18.4",
                  "product_id": "T054209-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:postgresql:postgresql:18.4"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c17.10",
                "product": {
                  "name": "Open Source PostgreSQL \u003c17.10",
                  "product_id": "T054210"
                }
              },
              {
                "category": "product_version",
                "name": "17.1",
                "product": {
                  "name": "Open Source PostgreSQL 17.10",
                  "product_id": "T054210-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:postgresql:postgresql:17.10"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c16.14",
                "product": {
                  "name": "Open Source PostgreSQL \u003c16.14",
                  "product_id": "T054211"
                }
              },
              {
                "category": "product_version",
                "name": "16.14",
                "product": {
                  "name": "Open Source PostgreSQL 16.14",
                  "product_id": "T054211-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:postgresql:postgresql:16.14"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c15.18",
                "product": {
                  "name": "Open Source PostgreSQL \u003c15.18",
                  "product_id": "T054212"
                }
              },
              {
                "category": "product_version",
                "name": "15.18",
                "product": {
                  "name": "Open Source PostgreSQL 15.18",
                  "product_id": "T054212-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:postgresql:postgresql:15.18"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c14.23",
                "product": {
                  "name": "Open Source PostgreSQL \u003c14.23",
                  "product_id": "T054213"
                }
              },
              {
                "category": "product_version",
                "name": "14.23",
                "product": {
                  "name": "Open Source PostgreSQL 14.23",
                  "product_id": "T054213-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:postgresql:postgresql:14.23"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "PostgreSQL"
          }
        ],
        "category": "vendor",
        "name": "Open Source"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "RESF Rocky Linux",
            "product": {
              "name": "RESF Rocky Linux",
              "product_id": "T032255",
              "product_identification_helper": {
                "cpe": "cpe:/o:resf:rocky_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "RESF"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Red Hat Enterprise Linux",
            "product": {
              "name": "Red Hat Enterprise Linux",
              "product_id": "67646",
              "product_identification_helper": {
                "cpe": "cpe:/o:redhat:enterprise_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "SUSE Linux",
            "product": {
              "name": "SUSE Linux",
              "product_id": "T002207",
              "product_identification_helper": {
                "cpe": "cpe:/o:suse:suse_linux:-"
              }
            }
          },
          {
            "category": "product_name",
            "name": "SUSE openSUSE",
            "product": {
              "name": "SUSE openSUSE",
              "product_id": "T027843",
              "product_identification_helper": {
                "cpe": "cpe:/o:suse:opensuse:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Ubuntu Linux",
            "product": {
              "name": "Ubuntu Linux",
              "product_id": "T000126",
              "product_identification_helper": {
                "cpe": "cpe:/o:canonical:ubuntu_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Ubuntu"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-6472",
      "product_status": {
        "known_affected": [
          "T054211",
          "T054210",
          "T055485",
          "67646",
          "T032255",
          "T054213",
          "T054212",
          "2951",
          "T002207",
          "T000126",
          "T054209",
          "T027843",
          "398363"
        ]
      },
      "release_date": "2026-05-14T22:00:00.000+00:00",
      "title": "CVE-2026-6472"
    },
    {
      "cve": "CVE-2026-6473",
      "product_status": {
        "known_affected": [
          "T054211",
          "T054210",
          "T055485",
          "67646",
          "T032255",
          "T054213",
          "T054212",
          "2951",
          "T002207",
          "T000126",
          "T054209",
          "T027843",
          "398363"
        ]
      },
      "release_date": "2026-05-14T22:00:00.000+00:00",
      "title": "CVE-2026-6473"
    },
    {
      "cve": "CVE-2026-6474",
      "product_status": {
        "known_affected": [
          "T054211",
          "T054210",
          "T055485",
          "67646",
          "T032255",
          "T054213",
          "T054212",
          "2951",
          "T002207",
          "T000126",
          "T054209",
          "T027843",
          "398363"
        ]
      },
      "release_date": "2026-05-14T22:00:00.000+00:00",
      "title": "CVE-2026-6474"
    },
    {
      "cve": "CVE-2026-6475",
      "product_status": {
        "known_affected": [
          "T054211",
          "T054210",
          "T055485",
          "67646",
          "T032255",
          "T054213",
          "T054212",
          "2951",
          "T002207",
          "T000126",
          "T054209",
          "T027843",
          "398363"
        ]
      },
      "release_date": "2026-05-14T22:00:00.000+00:00",
      "title": "CVE-2026-6475"
    },
    {
      "cve": "CVE-2026-6476",
      "product_status": {
        "known_affected": [
          "T054211",
          "T054210",
          "T055485",
          "67646",
          "T032255",
          "T054213",
          "T054212",
          "2951",
          "T002207",
          "T000126",
          "T054209",
          "T027843",
          "398363"
        ]
      },
      "release_date": "2026-05-14T22:00:00.000+00:00",
      "title": "CVE-2026-6476"
    },
    {
      "cve": "CVE-2026-6477",
      "product_status": {
        "known_affected": [
          "T054211",
          "T054210",
          "T055485",
          "67646",
          "T032255",
          "T054213",
          "T054212",
          "2951",
          "T002207",
          "T000126",
          "T054209",
          "T027843",
          "398363"
        ]
      },
      "release_date": "2026-05-14T22:00:00.000+00:00",
      "title": "CVE-2026-6477"
    },
    {
      "cve": "CVE-2026-6478",
      "product_status": {
        "known_affected": [
          "T054211",
          "T054210",
          "T055485",
          "67646",
          "T032255",
          "T054213",
          "T054212",
          "2951",
          "T002207",
          "T000126",
          "T054209",
          "T027843",
          "398363"
        ]
      },
      "release_date": "2026-05-14T22:00:00.000+00:00",
      "title": "CVE-2026-6478"
    },
    {
      "cve": "CVE-2026-6479",
      "product_status": {
        "known_affected": [
          "T054211",
          "T054210",
          "T055485",
          "67646",
          "T032255",
          "T054213",
          "T054212",
          "2951",
          "T002207",
          "T000126",
          "T054209",
          "T027843",
          "398363"
        ]
      },
      "release_date": "2026-05-14T22:00:00.000+00:00",
      "title": "CVE-2026-6479"
    },
    {
      "cve": "CVE-2026-6575",
      "product_status": {
        "known_affected": [
          "T054211",
          "T054210",
          "T055485",
          "67646",
          "T032255",
          "T054213",
          "T054212",
          "2951",
          "T002207",
          "T000126",
          "T054209",
          "T027843",
          "398363"
        ]
      },
      "release_date": "2026-05-14T22:00:00.000+00:00",
      "title": "CVE-2026-6575"
    },
    {
      "cve": "CVE-2026-6637",
      "product_status": {
        "known_affected": [
          "T054211",
          "T054210",
          "T055485",
          "67646",
          "T032255",
          "T054213",
          "T054212",
          "2951",
          "T002207",
          "T000126",
          "T054209",
          "T027843",
          "398363"
        ]
      },
      "release_date": "2026-05-14T22:00:00.000+00:00",
      "title": "CVE-2026-6637"
    },
    {
      "cve": "CVE-2026-6638",
      "product_status": {
        "known_affected": [
          "T054211",
          "T054210",
          "T055485",
          "67646",
          "T032255",
          "T054213",
          "T054212",
          "2951",
          "T002207",
          "T000126",
          "T054209",
          "T027843",
          "398363"
        ]
      },
      "release_date": "2026-05-14T22:00:00.000+00:00",
      "title": "CVE-2026-6638"
    }
  ]
}

CVE-2026-6472 (GCVE-0-2026-6472)

Vulnerability from cvelistv5 – Published: 2026-05-14 13:00 – Updated: 2026-05-14 13:43

Title

PostgreSQL CREATE TYPE does not check multirange schema CREATE privilege

Summary

Missing authorization in PostgreSQL CREATE TYPE allows an object creator to hijack other queries that use search_path to find user-defined types, including extension-defined types. That is to say, the victim will execute arbitrary SQL functions of the attacker's choice. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

Severity

5.4 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-862 - Missing Authorization

Assigner

PostgreSQL

References

1 reference

URL	Tags
https://www.postgresql.org/support/security/CVE-2…

Impacted products

1 product

Vendor	Product	Version
n/a	PostgreSQL	Affected: 18 , < 18.4 (rpm) Affected: 17 , < 17.10 (rpm) Affected: 16 , < 16.14 (rpm) Affected: 15 , < 15.18 (rpm) Affected: 0 , < 14.23 (rpm)

Credits

The PostgreSQL project thanks Jelte Fennema-Nio for reporting this problem.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-6472",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-14T13:43:42.467820Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-14T13:43:48.103Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "PostgreSQL",
          "vendor": "n/a",
          "versions": [
            {
              "lessThan": "18.4",
              "status": "affected",
              "version": "18",
              "versionType": "rpm"
            },
            {
              "lessThan": "17.10",
              "status": "affected",
              "version": "17",
              "versionType": "rpm"
            },
            {
              "lessThan": "16.14",
              "status": "affected",
              "version": "16",
              "versionType": "rpm"
            },
            {
              "lessThan": "15.18",
              "status": "affected",
              "version": "15",
              "versionType": "rpm"
            },
            {
              "lessThan": "14.23",
              "status": "affected",
              "version": "0",
              "versionType": "rpm"
            }
          ]
        }
      ],
      "configurations": [
        {
          "lang": "en",
          "value": "attacker has permission to create objects (temporary objects or non-temporary objects in at least one schema)"
        },
        {
          "lang": "en",
          "value": "victim query finds non-pg_catalog types via search_path"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "The PostgreSQL project thanks Jelte Fennema-Nio for reporting this problem."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Missing authorization in PostgreSQL CREATE TYPE allows an object creator to hijack other queries that use search_path to find user-defined types, including extension-defined types.  That is to say, the victim will execute arbitrary SQL functions of the attacker\u0027s choice.  Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-14T13:00:02.086Z",
        "orgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007",
        "shortName": "PostgreSQL"
      },
      "references": [
        {
          "url": "https://www.postgresql.org/support/security/CVE-2026-6472/"
        }
      ],
      "title": "PostgreSQL CREATE TYPE does not check multirange schema CREATE privilege"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007",
    "assignerShortName": "PostgreSQL",
    "cveId": "CVE-2026-6472",
    "datePublished": "2026-05-14T13:00:02.086Z",
    "dateReserved": "2026-04-17T00:23:44.190Z",
    "dateUpdated": "2026-05-14T13:43:48.103Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-6473 (GCVE-0-2026-6473)

Vulnerability from cvelistv5 – Published: 2026-05-14 13:00 – Updated: 2026-06-30 12:06

Title

PostgreSQL server undersizes allocations, via integer wraparound

Summary

Integer wraparound in multiple PostgreSQL server features allows an unprivileged database user to cause the server to undersize an allocation and write out-of-bounds. This may execute arbitrary code as the operating system user running the database. In applications that pass gigabyte-scale user inputs to the relevant database functions, the application input provider may achieve a segmentation fault. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

Severity

8.8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

SSVC

Exploitation: none Automatable: no Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-190 - Integer Overflow or Wraparound

Assigner

PostgreSQL

References

26 references

URL	Tags
https://www.postgresql.org/support/security/CVE-2…
https://access.redhat.com/security/cve/CVE-2026-6473	vdb-entryx_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2477448	issue-trackingx_refsource_REDHAT
https://security.access.redhat.com/data/csaf/v2/v…	x_sadp-csaf-vex
https://access.redhat.com/errata/RHSA-2026:27718	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:27743	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:27742	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:27738	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:28999	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:26181	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:28143	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:29815	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:32994	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:26561	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:29953	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:33441	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:26524	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:29904	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:32983	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:26525	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:29212	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:28037	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:26203	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:26204	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:27741	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:22878	vendor-advisoryx_refsource_REDHAT

Impacted products

21 products

Vendor	Product	Version
n/a	PostgreSQL	Affected: 18 , < 18.4 (rpm) Affected: 17 , < 17.10 (rpm) Affected: 16 , < 16.14 (rpm) Affected: 15 , < 15.18 (rpm) Affected: 0 , < 14.23 (rpm)
Red Hat	Red Hat Enterprise Linux AppStream EUS (v. 10.0)	cpe:/o:redhat:enterprise_linux_eus:10.0
Red Hat	Red Hat Enterprise Linux AppStream (v. 10)	cpe:/o:redhat:enterprise_linux:10.2
Red Hat	Red Hat Enterprise Linux AppStream (v. 8)	cpe:/a:redhat:enterprise_linux:8::appstream
Red Hat	Red Hat Enterprise Linux AppStream AUS (v.8.6)	cpe:/a:redhat:rhel_aus:8.6::appstream
Red Hat	Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.6)	cpe:/a:redhat:rhel_eus_long_life:8.6::appstream
Red Hat	Red Hat Enterprise Linux AppStream E4S (v.8.8)	cpe:/a:redhat:rhel_e4s:8.8::appstream
Red Hat	Red Hat Enterprise Linux AppStream TUS (v.8.8)	cpe:/a:redhat:rhel_tus:8.8::appstream
Red Hat	Red Hat Enterprise Linux AppStream E4S (v.9.2)	cpe:/a:redhat:rhel_e4s:9.2::appstream
Red Hat	Red Hat Enterprise Linux AppStream E4S (v.9.4)	cpe:/a:redhat:rhel_e4s:9.4::appstream
Red Hat	Red Hat Enterprise Linux AppStream EUS (v.9.6)	cpe:/a:redhat:rhel_eus:9.6::appstream
Red Hat	Red Hat Enterprise Linux AppStream (v. 9)	cpe:/a:redhat:enterprise_linux:9::appstream
Red Hat	Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)	cpe:/o:redhat:enterprise_linux_eus:10.0
Red Hat	Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)	cpe:/o:redhat:enterprise_linux:10.2
Red Hat	Red Hat CodeReady Linux Builder EUS (v.9.6)	cpe:/a:redhat:rhel_eus:9.6::crb
Red Hat	Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)	cpe:/a:redhat:enterprise_linux:9::crb
Red Hat	Red Hat Hardened Images	cpe:/a:redhat:hummingbird:1
Red Hat	Red Hat Enterprise Linux 6	cpe:/o:redhat:enterprise_linux:6
Red Hat	Red Hat Enterprise Linux 7	cpe:/o:redhat:enterprise_linux:7
Red Hat	Red Hat Enterprise Linux 8	cpe:/o:redhat:enterprise_linux:8
Red Hat	Self-service automation portal 2	cpe:/a:redhat:ansible_portal:2

Credits

The PostgreSQL project thanks Anemone, A1ex, Xint Code, Jihe Wang, Jingzhou Fu, Pavel Kohout, Petr Simecek, www.aisle.com, Bruce Dang of Calif.io, and Sven Klemm for reporting this problem.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-6473",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-14T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-15T03:56:15.231Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "affected": [
          {
            "cpes": [
              "cpe:/o:redhat:enterprise_linux_eus:10.0"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/o:redhat:enterprise_linux:10.2"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux AppStream (v. 10)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:enterprise_linux:8::appstream"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux AppStream (v. 8)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:rhel_aus:8.6::appstream"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux AppStream AUS (v.8.6)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:rhel_eus_long_life:8.6::appstream"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.6)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:rhel_e4s:8.8::appstream"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux AppStream E4S (v.8.8)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:rhel_tus:8.8::appstream"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux AppStream TUS (v.8.8)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:rhel_e4s:9.2::appstream"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux AppStream E4S (v.9.2)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:rhel_e4s:9.4::appstream"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux AppStream E4S (v.9.4)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:rhel_eus:9.6::appstream"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux AppStream EUS (v.9.6)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:enterprise_linux:9::appstream"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux AppStream (v. 9)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/o:redhat:enterprise_linux_eus:10.0"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/o:redhat:enterprise_linux:10.2"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:rhel_eus:9.6::crb"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat CodeReady Linux Builder EUS (v.9.6)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:enterprise_linux:9::crb"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:hummingbird:1"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Hardened Images",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/o:redhat:enterprise_linux:6"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux 6",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/o:redhat:enterprise_linux:7"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux 7",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/o:redhat:enterprise_linux:8"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux 8",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:ansible_portal:2"
            ],
            "defaultStatus": "affected",
            "product": "Self-service automation portal 2",
            "vendor": "Red Hat"
          }
        ],
        "datePublic": "2026-05-14T13:00:09.446Z",
        "descriptions": [
          {
            "lang": "en",
            "value": "A flaw was found in PostgreSQL. An integer overflow in multiple server features allows an unprivileged database user to cause an undersized memory allocation that leads to an out-of-bounds write. This issue allows an attacker to execute arbitrary code as the operating system user running the database or, in applications that pass gigabyte-scale user inputs to the relevant database functions, to cause a segmentation fault, resulting in a denial of service."
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "namespace": "https://access.redhat.com/security/updates/classification/",
                "value": "Important"
              },
              "type": "Red Hat severity rating"
            }
          },
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 8.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            },
            "format": "CVSS"
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-190",
                "description": "Integer Overflow or Wraparound",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-30T12:06:06.766Z",
          "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
          "shortName": "redhat-SADP"
        },
        "references": [
          {
            "tags": [
              "vdb-entry",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/security/cve/CVE-2026-6473"
          },
          {
            "name": "RHBZ#2477448",
            "tags": [
              "issue-tracking",
              "x_refsource_REDHAT"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2477448"
          },
          {
            "tags": [
              "x_sadp-csaf-vex"
            ],
            "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-6473.json"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:27718"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:27743"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:27742"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:27738"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:28999"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:26181"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:28143"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:29815"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:32994"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:26561"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:29953"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:33441"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:26524"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:29904"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:32983"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:26525"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:29212"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:28037"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:26203"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:26204"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:27741"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:22878"
          }
        ],
        "solutions": [
          {
            "lang": "en",
            "value": "RHSA-2026:27718: Red Hat Enterprise Linux AppStream EUS (v. 10.0), Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:27743: Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:27742: Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:27738: Red Hat Enterprise Linux AppStream (v. 8)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:28999: Red Hat Enterprise Linux AppStream (v. 8)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:26181: Red Hat Enterprise Linux AppStream (v. 8)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:28143: Red Hat Enterprise Linux AppStream (v. 8)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:29815: Red Hat Enterprise Linux AppStream AUS (v.8.6), Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.6)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:32994: Red Hat Enterprise Linux AppStream AUS (v.8.6), Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.6)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:26561: Red Hat Enterprise Linux AppStream E4S (v.8.8), Red Hat Enterprise Linux AppStream TUS (v.8.8)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:29953: Red Hat Enterprise Linux AppStream E4S (v.9.2)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:33441: Red Hat Enterprise Linux AppStream E4S (v.9.4)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:26524: Red Hat Enterprise Linux AppStream E4S (v.9.4)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:29904: Red Hat Enterprise Linux AppStream E4S (v.9.4)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:32983: Red Hat Enterprise Linux AppStream EUS (v.9.6)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:26525: Red Hat Enterprise Linux AppStream EUS (v.9.6)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:29212: Red Hat CodeReady Linux Builder EUS (v.9.6), Red Hat Enterprise Linux AppStream EUS (v.9.6)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:28037: Red Hat Enterprise Linux AppStream (v. 9)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:26203: Red Hat Enterprise Linux AppStream (v. 9)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:26204: Red Hat Enterprise Linux AppStream (v. 9)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:27741: Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:22878: Red Hat Hardened Images"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2026-05-14T14:01:48.197Z",
            "value": "Reported to Red Hat."
          },
          {
            "lang": "en",
            "time": "2026-05-14T13:00:09.446Z",
            "value": "Made public."
          }
        ],
        "title": "postgresql: integer overflow can cause an undersized allocation and an out-of-bounds write",
        "workarounds": [
          {
            "lang": "en",
            "value": "To mitigate this vulnerability, validate the length of data and the size of objects on all client APIs and web interfaces. Also, block, drop, or truncate oversized string, array, or binary objects before they are passed into backend SQL queries."
          }
        ],
        "x_adpType": "supplier",
        "x_generator": {
          "engine": "sadp-cli 1.0.0"
        }
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "PostgreSQL",
          "vendor": "n/a",
          "versions": [
            {
              "lessThan": "18.4",
              "status": "affected",
              "version": "18",
              "versionType": "rpm"
            },
            {
              "lessThan": "17.10",
              "status": "affected",
              "version": "17",
              "versionType": "rpm"
            },
            {
              "lessThan": "16.14",
              "status": "affected",
              "version": "16",
              "versionType": "rpm"
            },
            {
              "lessThan": "15.18",
              "status": "affected",
              "version": "15",
              "versionType": "rpm"
            },
            {
              "lessThan": "14.23",
              "status": "affected",
              "version": "0",
              "versionType": "rpm"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "The PostgreSQL project thanks Anemone, A1ex, Xint Code, Jihe Wang, Jingzhou Fu, Pavel Kohout, Petr Simecek, www.aisle.com, Bruce Dang of Calif.io, and Sven Klemm for reporting this problem."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Integer wraparound in multiple PostgreSQL server features allows an unprivileged database user to cause the server to undersize an allocation and write out-of-bounds.  This may execute arbitrary code as the operating system user running the database.  In applications that pass gigabyte-scale user inputs to the relevant database functions, the application input provider may achieve a segmentation fault.  Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-190",
              "description": "Integer Overflow or Wraparound",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-14T13:00:09.446Z",
        "orgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007",
        "shortName": "PostgreSQL"
      },
      "references": [
        {
          "url": "https://www.postgresql.org/support/security/CVE-2026-6473/"
        }
      ],
      "title": "PostgreSQL server undersizes allocations, via integer wraparound"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007",
    "assignerShortName": "PostgreSQL",
    "cveId": "CVE-2026-6473",
    "datePublished": "2026-05-14T13:00:09.446Z",
    "dateReserved": "2026-04-17T00:27:22.802Z",
    "dateUpdated": "2026-06-30T12:06:06.766Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-6474 (GCVE-0-2026-6474)

Vulnerability from cvelistv5 – Published: 2026-05-14 13:00 – Updated: 2026-05-14 15:30

Title

PostgreSQL timeofday() can disclose portions of server memory

Summary

Externally-controlled format string in PostgreSQL timeofday() function allows an attacker to retrieve portions of server memory, via crafted timezone zones. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

Severity

4.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-134 - Use of Externally-Controlled Format String

Assigner

PostgreSQL

References

1 reference

URL	Tags
https://www.postgresql.org/support/security/CVE-2…

Impacted products

1 product

Vendor	Product	Version
n/a	PostgreSQL	Affected: 18 , < 18.4 (rpm) Affected: 17 , < 17.10 (rpm) Affected: 16 , < 16.14 (rpm) Affected: 15 , < 15.18 (rpm) Affected: 0 , < 14.23 (rpm)

Credits

The PostgreSQL project thanks Xint Code for reporting this problem.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-6474",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-14T15:30:17.967244Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-14T15:30:37.425Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "PostgreSQL",
          "vendor": "n/a",
          "versions": [
            {
              "lessThan": "18.4",
              "status": "affected",
              "version": "18",
              "versionType": "rpm"
            },
            {
              "lessThan": "17.10",
              "status": "affected",
              "version": "17",
              "versionType": "rpm"
            },
            {
              "lessThan": "16.14",
              "status": "affected",
              "version": "16",
              "versionType": "rpm"
            },
            {
              "lessThan": "15.18",
              "status": "affected",
              "version": "15",
              "versionType": "rpm"
            },
            {
              "lessThan": "14.23",
              "status": "affected",
              "version": "0",
              "versionType": "rpm"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "The PostgreSQL project thanks Xint Code for reporting this problem."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Externally-controlled format string in PostgreSQL timeofday() function allows an attacker to retrieve portions of server memory, via crafted timezone zones.  Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-134",
              "description": "Use of Externally-Controlled Format String",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-14T13:00:10.254Z",
        "orgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007",
        "shortName": "PostgreSQL"
      },
      "references": [
        {
          "url": "https://www.postgresql.org/support/security/CVE-2026-6474/"
        }
      ],
      "title": "PostgreSQL timeofday() can disclose portions of server memory"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007",
    "assignerShortName": "PostgreSQL",
    "cveId": "CVE-2026-6474",
    "datePublished": "2026-05-14T13:00:10.254Z",
    "dateReserved": "2026-04-17T00:36:25.451Z",
    "dateUpdated": "2026-05-14T15:30:37.425Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-6475 (GCVE-0-2026-6475)

Vulnerability from cvelistv5 – Published: 2026-05-14 13:00 – Updated: 2026-05-15 03:56

Title

PostgreSQL pg_basebackup and pg_rewind can overwrite unrelated files of origin superuser choice

Summary

Symlink following in PostgreSQL pg_basebackup plain format and in pg_rewind allows an origin superuser to overwrite local files, e.g. /var/lib/postgres/.bashrc, that hijack the operating system account. It will remain the case that starting the server after these commands implicitly trusts the origin superuser, due to features like shared_preload_libraries. Hence, the attack has practical implications only if one takes relevant action between these commands and server start, like moving the files to a different VM or snapshotting the VM. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

Severity

8.8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

SSVC

Exploitation: none Automatable: no Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-61 - UNIX Symbolic Link (Symlink) Following

Assigner

PostgreSQL

References

1 reference

URL	Tags
https://www.postgresql.org/support/security/CVE-2…

Impacted products

1 product

Vendor	Product	Version
n/a	PostgreSQL	Affected: 18 , < 18.4 (rpm) Affected: 17 , < 17.10 (rpm) Affected: 16 , < 16.14 (rpm) Affected: 15 , < 15.18 (rpm) Affected: 0 , < 14.23 (rpm)

Credits

The PostgreSQL project thanks Valery Gubanov, XlabAI Team of Tencent Xuanwu Lab, Atuin Automated Vulnerability Discovery Engine, Zhanpeng Liu (pkugenuine(at)gmail(dot)com), Guannan Wang (wgnbuaa(at)gmail(dot)com), and Guancheng Li (lgcpku(at)gmail(dot)com) for reporting this problem.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-6475",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-14T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-15T03:56:16.367Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "PostgreSQL",
          "vendor": "n/a",
          "versions": [
            {
              "lessThan": "18.4",
              "status": "affected",
              "version": "18",
              "versionType": "rpm"
            },
            {
              "lessThan": "17.10",
              "status": "affected",
              "version": "17",
              "versionType": "rpm"
            },
            {
              "lessThan": "16.14",
              "status": "affected",
              "version": "16",
              "versionType": "rpm"
            },
            {
              "lessThan": "15.18",
              "status": "affected",
              "version": "15",
              "versionType": "rpm"
            },
            {
              "lessThan": "14.23",
              "status": "affected",
              "version": "0",
              "versionType": "rpm"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "The PostgreSQL project thanks Valery Gubanov, XlabAI Team of Tencent Xuanwu Lab, Atuin Automated Vulnerability Discovery Engine, Zhanpeng Liu (pkugenuine(at)gmail(dot)com), Guannan Wang (wgnbuaa(at)gmail(dot)com), and Guancheng Li (lgcpku(at)gmail(dot)com) for reporting this problem."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Symlink following in PostgreSQL pg_basebackup plain format and in pg_rewind allows an origin superuser to overwrite local files, e.g. /var/lib/postgres/.bashrc, that hijack the operating system account.  It will remain the case that starting the server after these commands implicitly trusts the origin superuser, due to features like shared_preload_libraries.  Hence, the attack has practical implications only if one takes relevant action between these commands and server start, like moving the files to a different VM or snapshotting the VM.  Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-61",
              "description": "UNIX Symbolic Link (Symlink) Following",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-14T13:00:11.039Z",
        "orgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007",
        "shortName": "PostgreSQL"
      },
      "references": [
        {
          "url": "https://www.postgresql.org/support/security/CVE-2026-6475/"
        }
      ],
      "title": "PostgreSQL pg_basebackup and pg_rewind can overwrite unrelated files of origin superuser choice"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007",
    "assignerShortName": "PostgreSQL",
    "cveId": "CVE-2026-6475",
    "datePublished": "2026-05-14T13:00:11.039Z",
    "dateReserved": "2026-04-17T00:43:21.782Z",
    "dateUpdated": "2026-05-15T03:56:16.367Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-6476 (GCVE-0-2026-6476)

Vulnerability from cvelistv5 – Published: 2026-05-14 13:00 – Updated: 2026-05-15 03:56

Title

PostgreSQL pg_createsubscriber allows SQL injection via subscription name

Summary

SQL injection in PostgreSQL pg_createsubscriber allows an attacker with pg_create_subscription rights to execute arbitrary SQL as a superuser. The attack takes effect when pg_createsubscriber next runs. Within major versions 17 and 18, minor versions before PostgreSQL 18.4 and 17.10 are affected. Versions before PostgreSQL 17 are unaffected.

Severity

7.2 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

SSVC

Exploitation: none Automatable: no Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Assigner

PostgreSQL

References

1 reference

URL	Tags
https://www.postgresql.org/support/security/CVE-2…

Impacted products

1 product

Vendor	Product	Version
n/a	PostgreSQL	Affected: 18 , < 18.4 (rpm) Affected: 17 , < 17.10 (rpm)

Credits

The PostgreSQL project thanks Yu Kunpeng for reporting this problem.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-6476",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-14T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-15T03:56:17.580Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "PostgreSQL",
          "vendor": "n/a",
          "versions": [
            {
              "lessThan": "18.4",
              "status": "affected",
              "version": "18",
              "versionType": "rpm"
            },
            {
              "lessThan": "17.10",
              "status": "affected",
              "version": "17",
              "versionType": "rpm"
            }
          ]
        }
      ],
      "configurations": [
        {
          "lang": "en",
          "value": "attacker has pg_create_subscription rights"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "The PostgreSQL project thanks Yu Kunpeng for reporting this problem."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "SQL injection in PostgreSQL pg_createsubscriber allows an attacker with pg_create_subscription rights to execute arbitrary SQL as a superuser.  The attack takes effect when pg_createsubscriber next runs.  Within major versions 17 and 18, minor versions before PostgreSQL 18.4 and 17.10 are affected.  Versions before PostgreSQL 17 are unaffected."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.2,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-89",
              "description": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-14T13:00:11.865Z",
        "orgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007",
        "shortName": "PostgreSQL"
      },
      "references": [
        {
          "url": "https://www.postgresql.org/support/security/CVE-2026-6476/"
        }
      ],
      "title": "PostgreSQL pg_createsubscriber allows SQL injection via subscription name"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007",
    "assignerShortName": "PostgreSQL",
    "cveId": "CVE-2026-6476",
    "datePublished": "2026-05-14T13:00:11.865Z",
    "dateReserved": "2026-04-17T00:43:55.119Z",
    "dateUpdated": "2026-05-15T03:56:17.580Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-6477 (GCVE-0-2026-6477)

Vulnerability from cvelistv5 – Published: 2026-05-14 13:00 – Updated: 2026-06-30 12:06

Title

PostgreSQL libpq lo_* functions let server superuser overwrite client stack memory

Summary

Use of inherently dangerous function PQfn(..., result_is_int=0, ...) in PostgreSQL libpq lo_export(), lo_read(), lo_lseek64(), and lo_tell64() functions allows the server superuser to overwrite a client stack buffer with an arbitrarily-large response. Like gets(), PQfn(..., result_is_int=0, ...) stores arbitrary-length, server-determined data into a buffer of unspecified size. Because both the \lo_export command in psql and pg_dump call lo_read(), the server superuser can overwrite pg_dump or psql stack memory. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

Severity

8.8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

8.4 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H

SSVC

Exploitation: none Automatable: no Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-242 - Use of Inherently Dangerous Function
CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

Assigner

PostgreSQL

References

25 references

URL	Tags
https://www.postgresql.org/support/security/CVE-2…
https://access.redhat.com/security/cve/CVE-2026-6477	vdb-entryx_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2477442	issue-trackingx_refsource_REDHAT
https://security.access.redhat.com/data/csaf/v2/v…	x_sadp-csaf-vex
https://access.redhat.com/errata/RHSA-2026:27718	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:27743	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:27742	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:27738	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:26181	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:29815	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:32994	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:26561	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:29953	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:33441	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:26524	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:29904	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:32983	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:26525	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:29212	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:28037	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:26203	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:26204	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:27741	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:21182	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:22878	vendor-advisoryx_refsource_REDHAT

Impacted products

21 products

Vendor	Product	Version
n/a	PostgreSQL	Affected: 18 , < 18.4 (rpm) Affected: 17 , < 17.10 (rpm) Affected: 16 , < 16.14 (rpm) Affected: 15 , < 15.18 (rpm) Affected: 0 , < 14.23 (rpm)
Red Hat	Red Hat Enterprise Linux AppStream EUS (v. 10.0)	cpe:/o:redhat:enterprise_linux_eus:10.0
Red Hat	Red Hat Enterprise Linux AppStream (v. 10)	cpe:/o:redhat:enterprise_linux:10.2
Red Hat	Red Hat Enterprise Linux AppStream (v. 8)	cpe:/a:redhat:enterprise_linux:8::appstream
Red Hat	Red Hat Enterprise Linux AppStream AUS (v.8.6)	cpe:/a:redhat:rhel_aus:8.6::appstream
Red Hat	Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.6)	cpe:/a:redhat:rhel_eus_long_life:8.6::appstream
Red Hat	Red Hat Enterprise Linux AppStream E4S (v.8.8)	cpe:/a:redhat:rhel_e4s:8.8::appstream
Red Hat	Red Hat Enterprise Linux AppStream TUS (v.8.8)	cpe:/a:redhat:rhel_tus:8.8::appstream
Red Hat	Red Hat Enterprise Linux AppStream E4S (v.9.2)	cpe:/a:redhat:rhel_e4s:9.2::appstream
Red Hat	Red Hat Enterprise Linux AppStream E4S (v.9.4)	cpe:/a:redhat:rhel_e4s:9.4::appstream
Red Hat	Red Hat Enterprise Linux AppStream EUS (v.9.6)	cpe:/a:redhat:rhel_eus:9.6::appstream
Red Hat	Red Hat Enterprise Linux AppStream (v. 9)	cpe:/a:redhat:enterprise_linux:9::appstream
Red Hat	Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)	cpe:/o:redhat:enterprise_linux_eus:10.0
Red Hat	Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)	cpe:/o:redhat:enterprise_linux:10.2
Red Hat	Red Hat CodeReady Linux Builder EUS (v.9.6)	cpe:/a:redhat:rhel_eus:9.6::crb
Red Hat	Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)	cpe:/a:redhat:enterprise_linux:9::crb
Red Hat	Red Hat Hardened Images	cpe:/a:redhat:hummingbird:1
Red Hat	Red Hat Enterprise Linux 6	cpe:/o:redhat:enterprise_linux:6
Red Hat	Red Hat Enterprise Linux 7	cpe:/o:redhat:enterprise_linux:7
Red Hat	Red Hat Enterprise Linux 8	cpe:/o:redhat:enterprise_linux:8
Red Hat	Self-service automation portal 2	cpe:/a:redhat:ansible_portal:2

Credits

The PostgreSQL project thanks Yu Kunpeng and Martin Heistermann for reporting this problem.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-6477",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-14T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-15T03:56:18.668Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "affected": [
          {
            "cpes": [
              "cpe:/o:redhat:enterprise_linux_eus:10.0"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/o:redhat:enterprise_linux:10.2"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux AppStream (v. 10)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:enterprise_linux:8::appstream"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux AppStream (v. 8)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:rhel_aus:8.6::appstream"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux AppStream AUS (v.8.6)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:rhel_eus_long_life:8.6::appstream"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.6)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:rhel_e4s:8.8::appstream"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux AppStream E4S (v.8.8)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:rhel_tus:8.8::appstream"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux AppStream TUS (v.8.8)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:rhel_e4s:9.2::appstream"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux AppStream E4S (v.9.2)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:rhel_e4s:9.4::appstream"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux AppStream E4S (v.9.4)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:rhel_eus:9.6::appstream"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux AppStream EUS (v.9.6)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:enterprise_linux:9::appstream"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux AppStream (v. 9)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/o:redhat:enterprise_linux_eus:10.0"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/o:redhat:enterprise_linux:10.2"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:rhel_eus:9.6::crb"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat CodeReady Linux Builder EUS (v.9.6)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:enterprise_linux:9::crb"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:hummingbird:1"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Hardened Images",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/o:redhat:enterprise_linux:6"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux 6",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/o:redhat:enterprise_linux:7"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux 7",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/o:redhat:enterprise_linux:8"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux 8",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:ansible_portal:2"
            ],
            "defaultStatus": "affected",
            "product": "Self-service automation portal 2",
            "vendor": "Red Hat"
          }
        ],
        "datePublic": "2026-05-14T13:00:12.497Z",
        "descriptions": [
          {
            "lang": "en",
            "value": "A flaw was found in PostgreSQL libpq. A server superuser can exploit a buffer overflow vulnerability in the PQfn function, which is used by client functions such as lo_export(), lo_read(), lo_lseek64(), and lo_tell64(). This allows the superuser to send an arbitrarily large response, overwriting the client\u0027s stack memory, specifically in tools like psql and pg_dump. This could lead to arbitrary code execution on the client system."
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "namespace": "https://access.redhat.com/security/updates/classification/",
                "value": "Important"
              },
              "type": "Red Hat severity rating"
            }
          },
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 8.4,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "HIGH",
              "scope": "CHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H",
              "version": "3.1"
            },
            "format": "CVSS"
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-120",
                "description": "Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-30T12:06:06.481Z",
          "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
          "shortName": "redhat-SADP"
        },
        "references": [
          {
            "tags": [
              "vdb-entry",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/security/cve/CVE-2026-6477"
          },
          {
            "name": "RHBZ#2477442",
            "tags": [
              "issue-tracking",
              "x_refsource_REDHAT"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2477442"
          },
          {
            "tags": [
              "x_sadp-csaf-vex"
            ],
            "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-6477.json"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:27718"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:27743"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:27742"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:27738"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:26181"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:29815"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:32994"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:26561"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:29953"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:33441"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:26524"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:29904"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:32983"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:26525"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:29212"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:28037"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:26203"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:26204"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:27741"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:21182"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:22878"
          }
        ],
        "solutions": [
          {
            "lang": "en",
            "value": "RHSA-2026:27718: Red Hat Enterprise Linux AppStream EUS (v. 10.0), Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:27743: Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:27742: Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:27738: Red Hat Enterprise Linux AppStream (v. 8)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:26181: Red Hat Enterprise Linux AppStream (v. 8)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:29815: Red Hat Enterprise Linux AppStream AUS (v.8.6), Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.6)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:32994: Red Hat Enterprise Linux AppStream AUS (v.8.6), Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.6)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:26561: Red Hat Enterprise Linux AppStream E4S (v.8.8), Red Hat Enterprise Linux AppStream TUS (v.8.8)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:29953: Red Hat Enterprise Linux AppStream E4S (v.9.2)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:33441: Red Hat Enterprise Linux AppStream E4S (v.9.4)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:26524: Red Hat Enterprise Linux AppStream E4S (v.9.4)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:29904: Red Hat Enterprise Linux AppStream E4S (v.9.4)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:32983: Red Hat Enterprise Linux AppStream EUS (v.9.6)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:26525: Red Hat Enterprise Linux AppStream EUS (v.9.6)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:29212: Red Hat CodeReady Linux Builder EUS (v.9.6), Red Hat Enterprise Linux AppStream EUS (v.9.6)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:28037: Red Hat Enterprise Linux AppStream (v. 9)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:26203: Red Hat Enterprise Linux AppStream (v. 9)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:26204: Red Hat Enterprise Linux AppStream (v. 9)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:27741: Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:21182: Red Hat Hardened Images"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:22878: Red Hat Hardened Images"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2026-05-14T14:01:31.087Z",
            "value": "Reported to Red Hat."
          },
          {
            "lang": "en",
            "time": "2026-05-14T13:00:12.497Z",
            "value": "Made public."
          }
        ],
        "title": "postgresql: PostgreSQL libpq: Buffer overflow allows server superuser to overwrite client stack memory",
        "workarounds": [
          {
            "lang": "en",
            "value": "Only connect to trusted PostgreSQL servers. Avoid using psql or pg_dump against untrusted or potentially compromised database servers."
          }
        ],
        "x_adpType": "supplier",
        "x_generator": {
          "engine": "sadp-cli 1.0.0"
        }
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "PostgreSQL",
          "vendor": "n/a",
          "versions": [
            {
              "lessThan": "18.4",
              "status": "affected",
              "version": "18",
              "versionType": "rpm"
            },
            {
              "lessThan": "17.10",
              "status": "affected",
              "version": "17",
              "versionType": "rpm"
            },
            {
              "lessThan": "16.14",
              "status": "affected",
              "version": "16",
              "versionType": "rpm"
            },
            {
              "lessThan": "15.18",
              "status": "affected",
              "version": "15",
              "versionType": "rpm"
            },
            {
              "lessThan": "14.23",
              "status": "affected",
              "version": "0",
              "versionType": "rpm"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "The PostgreSQL project thanks Yu Kunpeng and Martin Heistermann for reporting this problem."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Use of inherently dangerous function PQfn(..., result_is_int=0, ...) in PostgreSQL libpq lo_export(), lo_read(), lo_lseek64(), and lo_tell64() functions allows the server superuser to overwrite a client stack buffer with an arbitrarily-large response.  Like gets(), PQfn(..., result_is_int=0, ...) stores arbitrary-length, server-determined data into a buffer of unspecified size.  Because both the \\lo_export command in psql and pg_dump call lo_read(), the server superuser can overwrite pg_dump or psql stack memory.  Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-242",
              "description": "Use of Inherently Dangerous Function",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-14T13:00:12.497Z",
        "orgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007",
        "shortName": "PostgreSQL"
      },
      "references": [
        {
          "url": "https://www.postgresql.org/support/security/CVE-2026-6477/"
        }
      ],
      "title": "PostgreSQL libpq lo_* functions let server superuser overwrite client stack memory",
      "workarounds": [
        {
          "lang": "en",
          "value": "use PQexecPrepared(), not PQfn(..., result_is_int=0, ...) or its lo_* wrappers"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007",
    "assignerShortName": "PostgreSQL",
    "cveId": "CVE-2026-6477",
    "datePublished": "2026-05-14T13:00:12.497Z",
    "dateReserved": "2026-04-17T00:44:19.965Z",
    "dateUpdated": "2026-06-30T12:06:06.481Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-6478 (GCVE-0-2026-6478)

Vulnerability from cvelistv5 – Published: 2026-05-14 13:00 – Updated: 2026-06-30 12:06

Title

PostgreSQL discloses MD5-hashed passwords via covert timing channel

Summary

Covert timing channel in comparison of MD5-hashed password in PostgreSQL authentication allows an attacker to recover user credentials sufficient to authenticate. This does not affect scram-sha-256 passwords, the default in all supported releases. However, current databases may have MD5-hashed passwords originating in upgrades from PostgreSQL 13 or earlier. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

Severity

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

8.2 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

SSVC

Exploitation: none Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-385 - Covert Timing Channel

Assigner

PostgreSQL

References

28 references

URL	Tags
https://www.postgresql.org/support/security/CVE-2…
https://access.redhat.com/security/cve/CVE-2026-6478	vdb-entryx_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2477447	issue-trackingx_refsource_REDHAT
https://security.access.redhat.com/data/csaf/v2/v…	x_sadp-csaf-vex
https://access.redhat.com/errata/RHSA-2026:27718	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:27743	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:27742	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:27738	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:28999	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:28208	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:26181	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:28143	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:29815	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:32994	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:26561	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:29953	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:33441	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:26524	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:29904	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:32983	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:26525	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:29212	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:28037	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:26203	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:26204	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:27741	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:21182	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:22878	vendor-advisoryx_refsource_REDHAT

Impacted products

21 products

Vendor	Product	Version
n/a	PostgreSQL	Affected: 18 , < 18.4 (rpm) Affected: 17 , < 17.10 (rpm) Affected: 16 , < 16.14 (rpm) Affected: 15 , < 15.18 (rpm) Affected: 0 , < 14.23 (rpm)
Red Hat	Red Hat Enterprise Linux AppStream EUS (v. 10.0)	cpe:/o:redhat:enterprise_linux_eus:10.0
Red Hat	Red Hat Enterprise Linux AppStream (v. 10)	cpe:/o:redhat:enterprise_linux:10.2
Red Hat	Red Hat Enterprise Linux AppStream (v. 8)	cpe:/a:redhat:enterprise_linux:8::appstream
Red Hat	Red Hat Enterprise Linux AppStream AUS (v.8.6)	cpe:/a:redhat:rhel_aus:8.6::appstream
Red Hat	Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.6)	cpe:/a:redhat:rhel_eus_long_life:8.6::appstream
Red Hat	Red Hat Enterprise Linux AppStream E4S (v.8.8)	cpe:/a:redhat:rhel_e4s:8.8::appstream
Red Hat	Red Hat Enterprise Linux AppStream TUS (v.8.8)	cpe:/a:redhat:rhel_tus:8.8::appstream
Red Hat	Red Hat Enterprise Linux AppStream E4S (v.9.2)	cpe:/a:redhat:rhel_e4s:9.2::appstream
Red Hat	Red Hat Enterprise Linux AppStream E4S (v.9.4)	cpe:/a:redhat:rhel_e4s:9.4::appstream
Red Hat	Red Hat Enterprise Linux AppStream EUS (v.9.6)	cpe:/a:redhat:rhel_eus:9.6::appstream
Red Hat	Red Hat Enterprise Linux AppStream (v. 9)	cpe:/a:redhat:enterprise_linux:9::appstream
Red Hat	Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)	cpe:/o:redhat:enterprise_linux_eus:10.0
Red Hat	Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)	cpe:/o:redhat:enterprise_linux:10.2
Red Hat	Red Hat CodeReady Linux Builder EUS (v.9.6)	cpe:/a:redhat:rhel_eus:9.6::crb
Red Hat	Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)	cpe:/a:redhat:enterprise_linux:9::crb
Red Hat	Red Hat Hardened Images	cpe:/a:redhat:hummingbird:1
Red Hat	Red Hat Enterprise Linux 6	cpe:/o:redhat:enterprise_linux:6
Red Hat	Red Hat Enterprise Linux 7	cpe:/o:redhat:enterprise_linux:7
Red Hat	Self-service automation portal 2	cpe:/a:redhat:ansible_portal:2
Red Hat	Red Hat Enterprise Linux 8	cpe:/o:redhat:enterprise_linux:8

Credits

The PostgreSQL project thanks Joe Conway for reporting this problem.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-6478",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-14T15:32:42.868340Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-14T15:33:03.332Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "affected": [
          {
            "cpes": [
              "cpe:/o:redhat:enterprise_linux_eus:10.0"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/o:redhat:enterprise_linux:10.2"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux AppStream (v. 10)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:enterprise_linux:8::appstream"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux AppStream (v. 8)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:rhel_aus:8.6::appstream"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux AppStream AUS (v.8.6)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:rhel_eus_long_life:8.6::appstream"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.6)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:rhel_e4s:8.8::appstream"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux AppStream E4S (v.8.8)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:rhel_tus:8.8::appstream"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux AppStream TUS (v.8.8)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:rhel_e4s:9.2::appstream"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux AppStream E4S (v.9.2)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:rhel_e4s:9.4::appstream"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux AppStream E4S (v.9.4)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:rhel_eus:9.6::appstream"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux AppStream EUS (v.9.6)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:enterprise_linux:9::appstream"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux AppStream (v. 9)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/o:redhat:enterprise_linux_eus:10.0"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/o:redhat:enterprise_linux:10.2"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:rhel_eus:9.6::crb"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat CodeReady Linux Builder EUS (v.9.6)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:enterprise_linux:9::crb"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:hummingbird:1"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Hardened Images",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/o:redhat:enterprise_linux:6"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux 6",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/o:redhat:enterprise_linux:7"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux 7",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:ansible_portal:2"
            ],
            "defaultStatus": "affected",
            "product": "Self-service automation portal 2",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/o:redhat:enterprise_linux:8"
            ],
            "defaultStatus": "unaffected",
            "product": "Red Hat Enterprise Linux 8",
            "vendor": "Red Hat"
          }
        ],
        "datePublic": "2026-05-14T13:00:13.174Z",
        "descriptions": [
          {
            "lang": "en",
            "value": "A flaw was found in PostgreSQL. This vulnerability, a covert timing channel, exists in the comparison of MD5-hashed passwords during authentication. A remote attacker could exploit this to recover user credentials, gaining unauthorized access to the database. This issue specifically impacts databases that retain MD5-hashed passwords from upgrades of PostgreSQL 13 or earlier."
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "namespace": "https://access.redhat.com/security/updates/classification/",
                "value": "Important"
              },
              "type": "Red Hat severity rating"
            }
          },
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 8.2,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "LOW",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
              "version": "3.1"
            },
            "format": "CVSS"
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-385",
                "description": "Covert Timing Channel",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-30T12:06:06.195Z",
          "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
          "shortName": "redhat-SADP"
        },
        "references": [
          {
            "tags": [
              "vdb-entry",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/security/cve/CVE-2026-6478"
          },
          {
            "name": "RHBZ#2477447",
            "tags": [
              "issue-tracking",
              "x_refsource_REDHAT"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2477447"
          },
          {
            "tags": [
              "x_sadp-csaf-vex"
            ],
            "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-6478.json"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:27718"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:27743"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:27742"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:27738"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:28999"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:28208"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:26181"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:28143"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:29815"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:32994"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:26561"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:29953"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:33441"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:26524"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:29904"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:32983"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:26525"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:29212"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:28037"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:26203"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:26204"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:27741"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:21182"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:22878"
          }
        ],
        "solutions": [
          {
            "lang": "en",
            "value": "RHSA-2026:27718: Red Hat Enterprise Linux AppStream EUS (v. 10.0), Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:27743: Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:27742: Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:27738: Red Hat Enterprise Linux AppStream (v. 8)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:28999: Red Hat Enterprise Linux AppStream (v. 8)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:28208: Red Hat Enterprise Linux AppStream (v. 8)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:26181: Red Hat Enterprise Linux AppStream (v. 8)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:28143: Red Hat Enterprise Linux AppStream (v. 8)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:29815: Red Hat Enterprise Linux AppStream AUS (v.8.6), Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.6)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:32994: Red Hat Enterprise Linux AppStream AUS (v.8.6), Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.6)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:26561: Red Hat Enterprise Linux AppStream E4S (v.8.8), Red Hat Enterprise Linux AppStream TUS (v.8.8)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:29953: Red Hat Enterprise Linux AppStream E4S (v.9.2)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:33441: Red Hat Enterprise Linux AppStream E4S (v.9.4)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:26524: Red Hat Enterprise Linux AppStream E4S (v.9.4)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:29904: Red Hat Enterprise Linux AppStream E4S (v.9.4)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:32983: Red Hat Enterprise Linux AppStream EUS (v.9.6)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:26525: Red Hat Enterprise Linux AppStream EUS (v.9.6)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:29212: Red Hat CodeReady Linux Builder EUS (v.9.6), Red Hat Enterprise Linux AppStream EUS (v.9.6)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:28037: Red Hat Enterprise Linux AppStream (v. 9)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:26203: Red Hat Enterprise Linux AppStream (v. 9)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:26204: Red Hat Enterprise Linux AppStream (v. 9)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:27741: Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:21182: Red Hat Hardened Images"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:22878: Red Hat Hardened Images"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2026-05-14T14:01:45.568Z",
            "value": "Reported to Red Hat."
          },
          {
            "lang": "en",
            "time": "2026-05-14T13:00:13.174Z",
            "value": "Made public."
          }
        ],
        "title": "postgresql: PostgreSQL: Credential recovery via covert timing channel in MD5 password comparison",
        "workarounds": [
          {
            "lang": "en",
            "value": "To mitigate this vulnerability, ensure that all PostgreSQL user passwords are not hashed using MD5. Users should migrate to stronger hashing algorithms such as `scram-sha-256`. This can be achieved by altering user passwords, which will automatically update their hash to the currently configured default. For example, to change a user\u0027s password: `ALTER USER username WITH PASSWORD \u0027new_password\u0027;` This action will require users to re-authenticate. If a service relies on these credentials, it may require a restart to pick up the new authentication details."
          }
        ],
        "x_adpType": "supplier",
        "x_generator": {
          "engine": "sadp-cli 1.0.0"
        }
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "PostgreSQL",
          "vendor": "n/a",
          "versions": [
            {
              "lessThan": "18.4",
              "status": "affected",
              "version": "18",
              "versionType": "rpm"
            },
            {
              "lessThan": "17.10",
              "status": "affected",
              "version": "17",
              "versionType": "rpm"
            },
            {
              "lessThan": "16.14",
              "status": "affected",
              "version": "16",
              "versionType": "rpm"
            },
            {
              "lessThan": "15.18",
              "status": "affected",
              "version": "15",
              "versionType": "rpm"
            },
            {
              "lessThan": "14.23",
              "status": "affected",
              "version": "0",
              "versionType": "rpm"
            }
          ]
        }
      ],
      "configurations": [
        {
          "lang": "en",
          "value": "victim user has a usable MD5 password"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "The PostgreSQL project thanks Joe Conway for reporting this problem."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Covert timing channel in comparison of MD5-hashed password in PostgreSQL authentication allows an attacker to recover user credentials sufficient to authenticate.  This does not affect scram-sha-256 passwords, the default in all supported releases.  However, current databases may have MD5-hashed passwords originating in upgrades from PostgreSQL 13 or earlier.  Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-385",
              "description": "Covert Timing Channel",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-14T13:00:13.174Z",
        "orgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007",
        "shortName": "PostgreSQL"
      },
      "references": [
        {
          "url": "https://www.postgresql.org/support/security/CVE-2026-6478/"
        }
      ],
      "title": "PostgreSQL discloses MD5-hashed passwords via covert timing channel",
      "workarounds": [
        {
          "lang": "en",
          "value": "reset password with password_encryption=scram-sha-256"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007",
    "assignerShortName": "PostgreSQL",
    "cveId": "CVE-2026-6478",
    "datePublished": "2026-05-14T13:00:13.174Z",
    "dateReserved": "2026-04-17T00:44:57.549Z",
    "dateUpdated": "2026-06-30T12:06:06.195Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-6479 (GCVE-0-2026-6479)

Vulnerability from cvelistv5 – Published: 2026-05-14 13:00 – Updated: 2026-05-14 15:26

Title

PostgreSQL SSL/GSS init causes denial of service, via uncontrolled recursion

Summary

Uncontrolled recursion in PostgreSQL SSL and GSS negotiation allows an attacker able to connect to a PostgreSQL AF_UNIX socket to achieve sustained denial of service. If SSL and GSS are both disabled, an attacker can do the same via access to a PostgreSQL TCP socket. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

Severity

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

SSVC

Exploitation: none Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-674 - Uncontrolled Recursion

Assigner

PostgreSQL

References

1 reference

URL	Tags
https://www.postgresql.org/support/security/CVE-2…

Impacted products

1 product

Vendor	Product	Version
n/a	PostgreSQL	Affected: 18 , < 18.4 (rpm) Affected: 17 , < 17.10 (rpm) Affected: 16 , < 16.14 (rpm) Affected: 15 , < 15.18 (rpm) Affected: 0 , < 14.23 (rpm)

Credits

The PostgreSQL project thanks Calif.io in collaboration with Claude and Anthropic Research for reporting this problem.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-6479",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-14T15:26:13.223741Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-14T15:26:20.166Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "PostgreSQL",
          "vendor": "n/a",
          "versions": [
            {
              "lessThan": "18.4",
              "status": "affected",
              "version": "18",
              "versionType": "rpm"
            },
            {
              "lessThan": "17.10",
              "status": "affected",
              "version": "17",
              "versionType": "rpm"
            },
            {
              "lessThan": "16.14",
              "status": "affected",
              "version": "16",
              "versionType": "rpm"
            },
            {
              "lessThan": "15.18",
              "status": "affected",
              "version": "15",
              "versionType": "rpm"
            },
            {
              "lessThan": "14.23",
              "status": "affected",
              "version": "0",
              "versionType": "rpm"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "The PostgreSQL project thanks Calif.io in collaboration with Claude and Anthropic Research for reporting this problem."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Uncontrolled recursion in PostgreSQL SSL and GSS negotiation allows an attacker able to connect to a PostgreSQL AF_UNIX socket to achieve sustained denial of service.  If SSL and GSS are both disabled, an attacker can do the same via access to a PostgreSQL TCP socket.  Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-674",
              "description": "Uncontrolled Recursion",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-14T13:00:13.859Z",
        "orgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007",
        "shortName": "PostgreSQL"
      },
      "references": [
        {
          "url": "https://www.postgresql.org/support/security/CVE-2026-6479/"
        }
      ],
      "title": "PostgreSQL SSL/GSS init causes denial of service, via uncontrolled recursion",
      "workarounds": [
        {
          "lang": "en",
          "value": "enable SSL and/or GSS; disable unix_socket_directories"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007",
    "assignerShortName": "PostgreSQL",
    "cveId": "CVE-2026-6479",
    "datePublished": "2026-05-14T13:00:13.859Z",
    "dateReserved": "2026-04-17T00:45:37.869Z",
    "dateUpdated": "2026-05-14T15:26:20.166Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-6575 (GCVE-0-2026-6575)

Vulnerability from cvelistv5 – Published: 2026-05-14 13:00 – Updated: 2026-05-14 15:26

Title

PostgreSQL pg_restore_attribute_stats accepts values that cause query planning to read past end of stats array

Summary

Buffer over-read in PostgreSQL function pg_restore_attribute_stats() accepts array values of unmatched length, which causes query planning to read past end of one array. This allows a table maintainer to infer memory values past that array end. Within major version 18, minor versions before PostgreSQL 18.4 are affected. Versions before PostgreSQL 18 are unaffected.

Severity

4.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-126 - Buffer Over-read

Assigner

PostgreSQL

References

1 reference

URL	Tags
https://www.postgresql.org/support/security/CVE-2…

Impacted products

1 product

Vendor	Product	Version
n/a	PostgreSQL	Affected: 18 , < 18.4 (rpm)

Credits

The PostgreSQL project thanks Jeroen Gui for reporting this problem.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-6575",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-14T15:26:33.401571Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-14T15:26:40.715Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "PostgreSQL",
          "vendor": "n/a",
          "versions": [
            {
              "lessThan": "18.4",
              "status": "affected",
              "version": "18",
              "versionType": "rpm"
            }
          ]
        }
      ],
      "configurations": [
        {
          "lang": "en",
          "value": "attacker has permission to create objects (temporary objects or non-temporary objects in at least one schema) or permission to maintain an existing table"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "The PostgreSQL project thanks Jeroen Gui for reporting this problem."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Buffer over-read in PostgreSQL function pg_restore_attribute_stats() accepts array values of unmatched length, which causes query planning to read past end of one array.  This allows a table maintainer to infer memory values past that array end.  Within major version 18, minor versions before PostgreSQL 18.4 are affected.  Versions before PostgreSQL 18 are unaffected."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-126",
              "description": "Buffer Over-read",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-14T13:00:14.542Z",
        "orgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007",
        "shortName": "PostgreSQL"
      },
      "references": [
        {
          "url": "https://www.postgresql.org/support/security/CVE-2026-6575/"
        }
      ],
      "title": "PostgreSQL pg_restore_attribute_stats accepts values that cause query planning to read past end of stats array"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007",
    "assignerShortName": "PostgreSQL",
    "cveId": "CVE-2026-6575",
    "datePublished": "2026-05-14T13:00:14.542Z",
    "dateReserved": "2026-04-19T00:06:35.060Z",
    "dateUpdated": "2026-05-14T15:26:40.715Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-6637 (GCVE-0-2026-6637)

Vulnerability from cvelistv5 – Published: 2026-05-14 13:00 – Updated: 2026-05-15 03:56

Title

PostgreSQL refint allows stack buffer overflow and SQL injection

Summary

Stack buffer overflow in PostgreSQL module "refint" allows an unprivileged database user to execute arbitrary code as the operating system user running the database. A distinct attack is possible if the application declares a user-controlled column as a "refint" cascade primary key and facilitates user-controlled updates to that column. In that case, a SQL injection allows a primary key update value provider to execute arbitrary SQL as the database user performing the primary key update. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

Severity

8.8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

SSVC

Exploitation: none Automatable: no Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-121 - Stack-based Buffer Overflow
CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Assigner

PostgreSQL

References

1 reference

URL	Tags
https://www.postgresql.org/support/security/CVE-2…

Impacted products

1 product

Vendor	Product	Version
n/a	PostgreSQL	Affected: 18 , < 18.4 (rpm) Affected: 17 , < 17.10 (rpm) Affected: 16 , < 16.14 (rpm) Affected: 15 , < 15.18 (rpm) Affected: 0 , < 14.23 (rpm)

Credits

The PostgreSQL project thanks Nikolay Samokhvalov for reporting this problem.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-6637",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-14T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-15T03:56:19.781Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "PostgreSQL",
          "vendor": "n/a",
          "versions": [
            {
              "lessThan": "18.4",
              "status": "affected",
              "version": "18",
              "versionType": "rpm"
            },
            {
              "lessThan": "17.10",
              "status": "affected",
              "version": "17",
              "versionType": "rpm"
            },
            {
              "lessThan": "16.14",
              "status": "affected",
              "version": "16",
              "versionType": "rpm"
            },
            {
              "lessThan": "15.18",
              "status": "affected",
              "version": "15",
              "versionType": "rpm"
            },
            {
              "lessThan": "14.23",
              "status": "affected",
              "version": "0",
              "versionType": "rpm"
            }
          ]
        }
      ],
      "configurations": [
        {
          "lang": "en",
          "value": "superuser previously installed the refint extension"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "The PostgreSQL project thanks Nikolay Samokhvalov for reporting this problem."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Stack buffer overflow in PostgreSQL module \"refint\" allows an unprivileged database user to execute arbitrary code as the operating system user running the database.  A distinct attack is possible if the application declares a user-controlled column as a \"refint\" cascade primary key and facilitates user-controlled updates to that column.  In that case, a SQL injection allows a primary key update value provider to execute arbitrary SQL as the database user performing the primary key update.  Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-121",
              "description": "Stack-based Buffer Overflow",
              "lang": "en",
              "type": "CWE"
            },
            {
              "cweId": "CWE-89",
              "description": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-14T13:00:15.223Z",
        "orgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007",
        "shortName": "PostgreSQL"
      },
      "references": [
        {
          "url": "https://www.postgresql.org/support/security/CVE-2026-6637/"
        }
      ],
      "title": "PostgreSQL refint allows stack buffer overflow and SQL injection"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007",
    "assignerShortName": "PostgreSQL",
    "cveId": "CVE-2026-6637",
    "datePublished": "2026-05-14T13:00:15.223Z",
    "dateReserved": "2026-04-19T19:58:20.340Z",
    "dateUpdated": "2026-05-15T03:56:19.781Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

WID-SEC-W-2026-1544

CVE-2026-6472 (GCVE-0-2026-6472)

CVE-2026-6473 (GCVE-0-2026-6473)

CVE-2026-6474 (GCVE-0-2026-6474)

CVE-2026-6475 (GCVE-0-2026-6475)

CVE-2026-6476 (GCVE-0-2026-6476)

CVE-2026-6477 (GCVE-0-2026-6477)

CVE-2026-6478 (GCVE-0-2026-6478)

CVE-2026-6479 (GCVE-0-2026-6479)

CVE-2026-6575 (GCVE-0-2026-6575)

CVE-2026-6637 (GCVE-0-2026-6637)

Tags

Sightings

Nomenclature