Vulnerability-Lookup

WID-SEC-W-2026-1544

Vulnerability from csaf_certbund - Published: 2026-05-14 22:00 - Updated: 2026-05-27 22:00

Summary

PostgreSQL: Mehrere Schwachstellen

Severity

Hoch

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung: PostgreSQL ist eine frei verfügbare Datenbank für unterschiedliche Betriebssysteme.

Angriff: Ein Angreifer kann mehrere Schwachstellen in PostgreSQL ausnutzen, um beliebigen Programmcode auszuführen, um einen Denial of Service Angriff durchzuführen, um Informationen offenzulegen, um Dateien zu manipulieren, um einen SQL-Injection Angriff durchzuführen, und um Sicherheitsvorkehrungen zu umgehen.

Betroffene Betriebssysteme: - Linux - MacOS X - UNIX - Windows

CVE-2026-6472

Affected products

Known affected 9 products

Product	Identifier	Version
Open Source PostgreSQL <16.14 Open Source / PostgreSQL		<16.14
Open Source PostgreSQL <17.10 Open Source / PostgreSQL		<17.10
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
Open Source PostgreSQL <18.4 Open Source / PostgreSQL		<18.4
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Open Source PostgreSQL <14.23 Open Source / PostgreSQL		<14.23
Open Source PostgreSQL <15.18 Open Source / PostgreSQL		<15.18

CVE-2026-6473

Affected products

Known affected 9 products

Product	Identifier	Version
Open Source PostgreSQL <16.14 Open Source / PostgreSQL		<16.14
Open Source PostgreSQL <17.10 Open Source / PostgreSQL		<17.10
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
Open Source PostgreSQL <18.4 Open Source / PostgreSQL		<18.4
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Open Source PostgreSQL <14.23 Open Source / PostgreSQL		<14.23
Open Source PostgreSQL <15.18 Open Source / PostgreSQL		<15.18

CVE-2026-6474

Affected products

Known affected 9 products

Product	Identifier	Version
Open Source PostgreSQL <16.14 Open Source / PostgreSQL		<16.14
Open Source PostgreSQL <17.10 Open Source / PostgreSQL		<17.10
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
Open Source PostgreSQL <18.4 Open Source / PostgreSQL		<18.4
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Open Source PostgreSQL <14.23 Open Source / PostgreSQL		<14.23
Open Source PostgreSQL <15.18 Open Source / PostgreSQL		<15.18

CVE-2026-6475

Affected products

Known affected 9 products

Product	Identifier	Version
Open Source PostgreSQL <16.14 Open Source / PostgreSQL		<16.14
Open Source PostgreSQL <17.10 Open Source / PostgreSQL		<17.10
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
Open Source PostgreSQL <18.4 Open Source / PostgreSQL		<18.4
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Open Source PostgreSQL <14.23 Open Source / PostgreSQL		<14.23
Open Source PostgreSQL <15.18 Open Source / PostgreSQL		<15.18

CVE-2026-6476

Affected products

Known affected 9 products

Product	Identifier	Version
Open Source PostgreSQL <16.14 Open Source / PostgreSQL		<16.14
Open Source PostgreSQL <17.10 Open Source / PostgreSQL		<17.10
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
Open Source PostgreSQL <18.4 Open Source / PostgreSQL		<18.4
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Open Source PostgreSQL <14.23 Open Source / PostgreSQL		<14.23
Open Source PostgreSQL <15.18 Open Source / PostgreSQL		<15.18

CVE-2026-6477

Affected products

Known affected 9 products

Product	Identifier	Version
Open Source PostgreSQL <16.14 Open Source / PostgreSQL		<16.14
Open Source PostgreSQL <17.10 Open Source / PostgreSQL		<17.10
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
Open Source PostgreSQL <18.4 Open Source / PostgreSQL		<18.4
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Open Source PostgreSQL <14.23 Open Source / PostgreSQL		<14.23
Open Source PostgreSQL <15.18 Open Source / PostgreSQL		<15.18

CVE-2026-6478

Affected products

Known affected 9 products

Product	Identifier	Version
Open Source PostgreSQL <16.14 Open Source / PostgreSQL		<16.14
Open Source PostgreSQL <17.10 Open Source / PostgreSQL		<17.10
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
Open Source PostgreSQL <18.4 Open Source / PostgreSQL		<18.4
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Open Source PostgreSQL <14.23 Open Source / PostgreSQL		<14.23
Open Source PostgreSQL <15.18 Open Source / PostgreSQL		<15.18

CVE-2026-6479

Affected products

Known affected 9 products

Product	Identifier	Version
Open Source PostgreSQL <16.14 Open Source / PostgreSQL		<16.14
Open Source PostgreSQL <17.10 Open Source / PostgreSQL		<17.10
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
Open Source PostgreSQL <18.4 Open Source / PostgreSQL		<18.4
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Open Source PostgreSQL <14.23 Open Source / PostgreSQL		<14.23
Open Source PostgreSQL <15.18 Open Source / PostgreSQL		<15.18

CVE-2026-6575

Affected products

Known affected 9 products

Product	Identifier	Version
Open Source PostgreSQL <16.14 Open Source / PostgreSQL		<16.14
Open Source PostgreSQL <17.10 Open Source / PostgreSQL		<17.10
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
Open Source PostgreSQL <18.4 Open Source / PostgreSQL		<18.4
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Open Source PostgreSQL <14.23 Open Source / PostgreSQL		<14.23
Open Source PostgreSQL <15.18 Open Source / PostgreSQL		<15.18

CVE-2026-6637

Affected products

Known affected 9 products

Product	Identifier	Version
Open Source PostgreSQL <16.14 Open Source / PostgreSQL		<16.14
Open Source PostgreSQL <17.10 Open Source / PostgreSQL		<17.10
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
Open Source PostgreSQL <18.4 Open Source / PostgreSQL		<18.4
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Open Source PostgreSQL <14.23 Open Source / PostgreSQL		<14.23
Open Source PostgreSQL <15.18 Open Source / PostgreSQL		<15.18

CVE-2026-6638

Affected products

Known affected 9 products

Product	Identifier	Version
Open Source PostgreSQL <16.14 Open Source / PostgreSQL		<16.14
Open Source PostgreSQL <17.10 Open Source / PostgreSQL		<17.10
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
Open Source PostgreSQL <18.4 Open Source / PostgreSQL		<18.4
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Open Source PostgreSQL <14.23 Open Source / PostgreSQL		<14.23
Open Source PostgreSQL <15.18 Open Source / PostgreSQL		<15.18

References

32 references

URL	Category
https://wid.cert-bund.de/.well-known/csaf/white/2…	self
https://wid.cert-bund.de/portal/wid/securityadvis…	self
https://www.postgresql.org/about/news/postgresql-…	external
https://www.postgresql.org/support/security/CVE-2…	external
https://www.postgresql.org/support/security/CVE-2…	external
https://www.postgresql.org/support/security/CVE-2…	external
https://www.postgresql.org/support/security/CVE-2…	external
https://www.postgresql.org/support/security/CVE-2…	external
https://www.postgresql.org/support/security/CVE-2…	external
https://www.postgresql.org/support/security/CVE-2…	external
https://www.postgresql.org/support/security/CVE-2…	external
https://www.postgresql.org/support/security/CVE-2…	external
https://www.postgresql.org/support/security/CVE-2…	external
https://www.postgresql.org/support/security/CVE-2…	external
https://lists.debian.org/debian-security-announce…	external
https://lists.debian.org/debian-security-announce…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://lists.opensuse.org/archives/list/security…	external
https://lists.opensuse.org/archives/list/security…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://ubuntu.com/security/notices/USN-8294-1	external
https://lists.opensuse.org/archives/list/security…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://lists.suse.com/pipermail/sle-security-upd…	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "PostgreSQL ist eine frei verf\u00fcgbare Datenbank f\u00fcr unterschiedliche Betriebssysteme.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein Angreifer kann mehrere Schwachstellen in PostgreSQL ausnutzen, um beliebigen Programmcode auszuf\u00fchren, um einen Denial of Service Angriff durchzuf\u00fchren, um Informationen offenzulegen, um Dateien zu manipulieren, um einen SQL-Injection Angriff durchzuf\u00fchren, und um Sicherheitsvorkehrungen zu umgehen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux\n- MacOS X\n- UNIX\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2026-1544 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-1544.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2026-1544 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1544"
      },
      {
        "category": "external",
        "summary": "PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 Released! vom 2026-05-14",
        "url": "https://www.postgresql.org/about/news/postgresql-184-1710-1614-1518-and-1423-released-3297/"
      },
      {
        "category": "external",
        "summary": "PostgreSQL Security Advisory CVE-2026-6472 vom 2026-05-14",
        "url": "https://www.postgresql.org/support/security/CVE-2026-6472/"
      },
      {
        "category": "external",
        "summary": "PostgreSQL Security Advisory CVE-2026-6473 vom 2026-05-14",
        "url": "https://www.postgresql.org/support/security/CVE-2026-6473/"
      },
      {
        "category": "external",
        "summary": "PostgreSQL Security Advisory CVE-2026-6474 vom 2026-05-14",
        "url": "https://www.postgresql.org/support/security/CVE-2026-6474/"
      },
      {
        "category": "external",
        "summary": "PostgreSQL Security Advisory CVE-2026-6475 vom 2026-05-14",
        "url": "https://www.postgresql.org/support/security/CVE-2026-6475/"
      },
      {
        "category": "external",
        "summary": "PostgreSQL Security Advisory CVE-2026-6476 vom 2026-05-14",
        "url": "https://www.postgresql.org/support/security/CVE-2026-6476/"
      },
      {
        "category": "external",
        "summary": "PostgreSQL Security Advisory CVE-2026-6477 vom 2026-05-14",
        "url": "https://www.postgresql.org/support/security/CVE-2026-6477/"
      },
      {
        "category": "external",
        "summary": "PostgreSQL Security Advisory CVE-2026-6478 vom 2026-05-14",
        "url": "https://www.postgresql.org/support/security/CVE-2026-6478/"
      },
      {
        "category": "external",
        "summary": "PostgreSQL Security Advisory CVE-2026-6479 vom 2026-05-14",
        "url": "https://www.postgresql.org/support/security/CVE-2026-6479/"
      },
      {
        "category": "external",
        "summary": "PostgreSQL Security Advisory CVE-2026-6575 vom 2026-05-14",
        "url": "https://www.postgresql.org/support/security/CVE-2026-6575/"
      },
      {
        "category": "external",
        "summary": "PostgreSQL Security Advisory CVE-2026-6637 vom 2026-05-14",
        "url": "https://www.postgresql.org/support/security/CVE-2026-6637/"
      },
      {
        "category": "external",
        "summary": "PostgreSQL Security Advisory CVE-2026-6638 vom 2026-05-14",
        "url": "https://www.postgresql.org/support/security/CVE-2026-6638/"
      },
      {
        "category": "external",
        "summary": "Debian Security Advisory DSA-6270 vom 2026-05-14",
        "url": "https://lists.debian.org/debian-security-announce/2026/msg00181.html"
      },
      {
        "category": "external",
        "summary": "Debian Security Advisory DSA-6269 vom 2026-05-14",
        "url": "https://lists.debian.org/debian-security-announce/2026/msg00180.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:1945-1 vom 2026-05-18",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-May/026110.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:1942-1 vom 2026-05-18",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-May/026113.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:1943-1 vom 2026-05-18",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-May/026112.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:1944-1 vom 2026-05-18",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-May/026111.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:1946-1 vom 2026-05-18",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-May/026109.html"
      },
      {
        "category": "external",
        "summary": "openSUSE Security Update OPENSUSE-SU-2026:10806-1 vom 2026-05-19",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/6YSTLJLCOHBA5K6KCIY47SN3JXTACGJL/"
      },
      {
        "category": "external",
        "summary": "openSUSE Security Update OPENSUSE-SU-2026:10808-1 vom 2026-05-19",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/GQYHZFIKPKIZ7MMEAQ5QEBKP4ZEPVM6O/"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:2000-1 vom 2026-05-19",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-May/026152.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:1999-1 vom 2026-05-19",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-May/026153.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:2001-1 vom 2026-05-19",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-May/026151.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:2007-1 vom 2026-05-19",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-May/026146.html"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-8294-1 vom 2026-05-21",
        "url": "https://ubuntu.com/security/notices/USN-8294-1"
      },
      {
        "category": "external",
        "summary": "openSUSE Security Update OPENSUSE-SU-2026:10828-1 vom 2026-05-22",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/RYNAVHGMZLCA7MJQOKRUKYTWYO5QPYBN/"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:2086-1 vom 2026-05-27",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-May/026358.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:2084-1 vom 2026-05-27",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-May/026360.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:2085-1 vom 2026-05-27",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-May/026359.html"
      }
    ],
    "source_lang": "en-US",
    "title": "PostgreSQL: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2026-05-27T22:00:00.000+00:00",
      "generator": {
        "date": "2026-05-28T07:29:00.010+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.6.0"
        }
      },
      "id": "WID-SEC-W-2026-1544",
      "initial_release_date": "2026-05-14T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2026-05-14T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2026-05-18T22:00:00.000+00:00",
          "number": "2",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2026-05-19T22:00:00.000+00:00",
          "number": "3",
          "summary": "Neue Updates von openSUSE und SUSE aufgenommen"
        },
        {
          "date": "2026-05-21T22:00:00.000+00:00",
          "number": "4",
          "summary": "Neue Updates von Ubuntu aufgenommen"
        },
        {
          "date": "2026-05-25T22:00:00.000+00:00",
          "number": "5",
          "summary": "Neue Updates von openSUSE aufgenommen"
        },
        {
          "date": "2026-05-27T22:00:00.000+00:00",
          "number": "6",
          "summary": "Neue Updates von SUSE aufgenommen"
        }
      ],
      "status": "final",
      "version": "6"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Debian Linux",
            "product": {
              "name": "Debian Linux",
              "product_id": "2951",
              "product_identification_helper": {
                "cpe": "cpe:/o:debian:debian_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Debian"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c18.4",
                "product": {
                  "name": "Open Source PostgreSQL \u003c18.4",
                  "product_id": "T054209"
                }
              },
              {
                "category": "product_version",
                "name": "18.4",
                "product": {
                  "name": "Open Source PostgreSQL 18.4",
                  "product_id": "T054209-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:postgresql:postgresql:18.4"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c17.10",
                "product": {
                  "name": "Open Source PostgreSQL \u003c17.10",
                  "product_id": "T054210"
                }
              },
              {
                "category": "product_version",
                "name": "17.1",
                "product": {
                  "name": "Open Source PostgreSQL 17.10",
                  "product_id": "T054210-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:postgresql:postgresql:17.10"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c16.14",
                "product": {
                  "name": "Open Source PostgreSQL \u003c16.14",
                  "product_id": "T054211"
                }
              },
              {
                "category": "product_version",
                "name": "16.14",
                "product": {
                  "name": "Open Source PostgreSQL 16.14",
                  "product_id": "T054211-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:postgresql:postgresql:16.14"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c15.18",
                "product": {
                  "name": "Open Source PostgreSQL \u003c15.18",
                  "product_id": "T054212"
                }
              },
              {
                "category": "product_version",
                "name": "15.18",
                "product": {
                  "name": "Open Source PostgreSQL 15.18",
                  "product_id": "T054212-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:postgresql:postgresql:15.18"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c14.23",
                "product": {
                  "name": "Open Source PostgreSQL \u003c14.23",
                  "product_id": "T054213"
                }
              },
              {
                "category": "product_version",
                "name": "14.23",
                "product": {
                  "name": "Open Source PostgreSQL 14.23",
                  "product_id": "T054213-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:postgresql:postgresql:14.23"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "PostgreSQL"
          }
        ],
        "category": "vendor",
        "name": "Open Source"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "SUSE Linux",
            "product": {
              "name": "SUSE Linux",
              "product_id": "T002207",
              "product_identification_helper": {
                "cpe": "cpe:/o:suse:suse_linux:-"
              }
            }
          },
          {
            "category": "product_name",
            "name": "SUSE openSUSE",
            "product": {
              "name": "SUSE openSUSE",
              "product_id": "T027843",
              "product_identification_helper": {
                "cpe": "cpe:/o:suse:opensuse:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Ubuntu Linux",
            "product": {
              "name": "Ubuntu Linux",
              "product_id": "T000126",
              "product_identification_helper": {
                "cpe": "cpe:/o:canonical:ubuntu_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Ubuntu"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-6472",
      "product_status": {
        "known_affected": [
          "T054211",
          "T054210",
          "2951",
          "T002207",
          "T000126",
          "T054209",
          "T027843",
          "T054213",
          "T054212"
        ]
      },
      "release_date": "2026-05-14T22:00:00.000+00:00",
      "title": "CVE-2026-6472"
    },
    {
      "cve": "CVE-2026-6473",
      "product_status": {
        "known_affected": [
          "T054211",
          "T054210",
          "2951",
          "T002207",
          "T000126",
          "T054209",
          "T027843",
          "T054213",
          "T054212"
        ]
      },
      "release_date": "2026-05-14T22:00:00.000+00:00",
      "title": "CVE-2026-6473"
    },
    {
      "cve": "CVE-2026-6474",
      "product_status": {
        "known_affected": [
          "T054211",
          "T054210",
          "2951",
          "T002207",
          "T000126",
          "T054209",
          "T027843",
          "T054213",
          "T054212"
        ]
      },
      "release_date": "2026-05-14T22:00:00.000+00:00",
      "title": "CVE-2026-6474"
    },
    {
      "cve": "CVE-2026-6475",
      "product_status": {
        "known_affected": [
          "T054211",
          "T054210",
          "2951",
          "T002207",
          "T000126",
          "T054209",
          "T027843",
          "T054213",
          "T054212"
        ]
      },
      "release_date": "2026-05-14T22:00:00.000+00:00",
      "title": "CVE-2026-6475"
    },
    {
      "cve": "CVE-2026-6476",
      "product_status": {
        "known_affected": [
          "T054211",
          "T054210",
          "2951",
          "T002207",
          "T000126",
          "T054209",
          "T027843",
          "T054213",
          "T054212"
        ]
      },
      "release_date": "2026-05-14T22:00:00.000+00:00",
      "title": "CVE-2026-6476"
    },
    {
      "cve": "CVE-2026-6477",
      "product_status": {
        "known_affected": [
          "T054211",
          "T054210",
          "2951",
          "T002207",
          "T000126",
          "T054209",
          "T027843",
          "T054213",
          "T054212"
        ]
      },
      "release_date": "2026-05-14T22:00:00.000+00:00",
      "title": "CVE-2026-6477"
    },
    {
      "cve": "CVE-2026-6478",
      "product_status": {
        "known_affected": [
          "T054211",
          "T054210",
          "2951",
          "T002207",
          "T000126",
          "T054209",
          "T027843",
          "T054213",
          "T054212"
        ]
      },
      "release_date": "2026-05-14T22:00:00.000+00:00",
      "title": "CVE-2026-6478"
    },
    {
      "cve": "CVE-2026-6479",
      "product_status": {
        "known_affected": [
          "T054211",
          "T054210",
          "2951",
          "T002207",
          "T000126",
          "T054209",
          "T027843",
          "T054213",
          "T054212"
        ]
      },
      "release_date": "2026-05-14T22:00:00.000+00:00",
      "title": "CVE-2026-6479"
    },
    {
      "cve": "CVE-2026-6575",
      "product_status": {
        "known_affected": [
          "T054211",
          "T054210",
          "2951",
          "T002207",
          "T000126",
          "T054209",
          "T027843",
          "T054213",
          "T054212"
        ]
      },
      "release_date": "2026-05-14T22:00:00.000+00:00",
      "title": "CVE-2026-6575"
    },
    {
      "cve": "CVE-2026-6637",
      "product_status": {
        "known_affected": [
          "T054211",
          "T054210",
          "2951",
          "T002207",
          "T000126",
          "T054209",
          "T027843",
          "T054213",
          "T054212"
        ]
      },
      "release_date": "2026-05-14T22:00:00.000+00:00",
      "title": "CVE-2026-6637"
    },
    {
      "cve": "CVE-2026-6638",
      "product_status": {
        "known_affected": [
          "T054211",
          "T054210",
          "2951",
          "T002207",
          "T000126",
          "T054209",
          "T027843",
          "T054213",
          "T054212"
        ]
      },
      "release_date": "2026-05-14T22:00:00.000+00:00",
      "title": "CVE-2026-6638"
    }
  ]
}

CVE-2026-6472 (GCVE-0-2026-6472)

Vulnerability from cvelistv5 – Published: 2026-05-14 13:00 – Updated: 2026-05-14 13:43

Title

PostgreSQL CREATE TYPE does not check multirange schema CREATE privilege

Summary

Missing authorization in PostgreSQL CREATE TYPE allows an object creator to hijack other queries that use search_path to find user-defined types, including extension-defined types. That is to say, the victim will execute arbitrary SQL functions of the attacker's choice. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

Severity

5.4 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CWE

CWE-862 - Missing Authorization

Assigner

PostgreSQL

References

1 reference

URL	Tags
https://www.postgresql.org/support/security/CVE-2…

Impacted products

1 product

Vendor	Product	Version
n/a	PostgreSQL	Affected: 18 , < 18.4 (rpm) Affected: 17 , < 17.10 (rpm) Affected: 16 , < 16.14 (rpm) Affected: 15 , < 15.18 (rpm) Affected: 0 , < 14.23 (rpm)

Credits

The PostgreSQL project thanks Jelte Fennema-Nio for reporting this problem.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-6472",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-14T13:43:42.467820Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-14T13:43:48.103Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "PostgreSQL",
          "vendor": "n/a",
          "versions": [
            {
              "lessThan": "18.4",
              "status": "affected",
              "version": "18",
              "versionType": "rpm"
            },
            {
              "lessThan": "17.10",
              "status": "affected",
              "version": "17",
              "versionType": "rpm"
            },
            {
              "lessThan": "16.14",
              "status": "affected",
              "version": "16",
              "versionType": "rpm"
            },
            {
              "lessThan": "15.18",
              "status": "affected",
              "version": "15",
              "versionType": "rpm"
            },
            {
              "lessThan": "14.23",
              "status": "affected",
              "version": "0",
              "versionType": "rpm"
            }
          ]
        }
      ],
      "configurations": [
        {
          "lang": "en",
          "value": "attacker has permission to create objects (temporary objects or non-temporary objects in at least one schema)"
        },
        {
          "lang": "en",
          "value": "victim query finds non-pg_catalog types via search_path"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "The PostgreSQL project thanks Jelte Fennema-Nio for reporting this problem."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Missing authorization in PostgreSQL CREATE TYPE allows an object creator to hijack other queries that use search_path to find user-defined types, including extension-defined types.  That is to say, the victim will execute arbitrary SQL functions of the attacker\u0027s choice.  Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-14T13:00:02.086Z",
        "orgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007",
        "shortName": "PostgreSQL"
      },
      "references": [
        {
          "url": "https://www.postgresql.org/support/security/CVE-2026-6472/"
        }
      ],
      "title": "PostgreSQL CREATE TYPE does not check multirange schema CREATE privilege"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007",
    "assignerShortName": "PostgreSQL",
    "cveId": "CVE-2026-6472",
    "datePublished": "2026-05-14T13:00:02.086Z",
    "dateReserved": "2026-04-17T00:23:44.190Z",
    "dateUpdated": "2026-05-14T13:43:48.103Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-6473 (GCVE-0-2026-6473)

Vulnerability from cvelistv5 – Published: 2026-05-14 13:00 – Updated: 2026-05-15 03:56

Title

PostgreSQL server undersizes allocations, via integer wraparound

Summary

Integer wraparound in multiple PostgreSQL server features allows an unprivileged database user to cause the server to undersize an allocation and write out-of-bounds. This may execute arbitrary code as the operating system user running the database. In applications that pass gigabyte-scale user inputs to the relevant database functions, the application input provider may achieve a segmentation fault. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

Severity

8.8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-190 - Integer Overflow or Wraparound

Assigner

PostgreSQL

References

1 reference

URL	Tags
https://www.postgresql.org/support/security/CVE-2…

Impacted products

1 product

Vendor	Product	Version
n/a	PostgreSQL	Affected: 18 , < 18.4 (rpm) Affected: 17 , < 17.10 (rpm) Affected: 16 , < 16.14 (rpm) Affected: 15 , < 15.18 (rpm) Affected: 0 , < 14.23 (rpm)

Credits

The PostgreSQL project thanks Anemone, A1ex, Xint Code, Jihe Wang, Jingzhou Fu, Pavel Kohout, Petr Simecek, www.aisle.com, Bruce Dang of Calif.io, and Sven Klemm for reporting this problem.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-6473",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-14T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-15T03:56:15.231Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "PostgreSQL",
          "vendor": "n/a",
          "versions": [
            {
              "lessThan": "18.4",
              "status": "affected",
              "version": "18",
              "versionType": "rpm"
            },
            {
              "lessThan": "17.10",
              "status": "affected",
              "version": "17",
              "versionType": "rpm"
            },
            {
              "lessThan": "16.14",
              "status": "affected",
              "version": "16",
              "versionType": "rpm"
            },
            {
              "lessThan": "15.18",
              "status": "affected",
              "version": "15",
              "versionType": "rpm"
            },
            {
              "lessThan": "14.23",
              "status": "affected",
              "version": "0",
              "versionType": "rpm"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "The PostgreSQL project thanks Anemone, A1ex, Xint Code, Jihe Wang, Jingzhou Fu, Pavel Kohout, Petr Simecek, www.aisle.com, Bruce Dang of Calif.io, and Sven Klemm for reporting this problem."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Integer wraparound in multiple PostgreSQL server features allows an unprivileged database user to cause the server to undersize an allocation and write out-of-bounds.  This may execute arbitrary code as the operating system user running the database.  In applications that pass gigabyte-scale user inputs to the relevant database functions, the application input provider may achieve a segmentation fault.  Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-190",
              "description": "Integer Overflow or Wraparound",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-14T13:00:09.446Z",
        "orgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007",
        "shortName": "PostgreSQL"
      },
      "references": [
        {
          "url": "https://www.postgresql.org/support/security/CVE-2026-6473/"
        }
      ],
      "title": "PostgreSQL server undersizes allocations, via integer wraparound"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007",
    "assignerShortName": "PostgreSQL",
    "cveId": "CVE-2026-6473",
    "datePublished": "2026-05-14T13:00:09.446Z",
    "dateReserved": "2026-04-17T00:27:22.802Z",
    "dateUpdated": "2026-05-15T03:56:15.231Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-6474 (GCVE-0-2026-6474)

Vulnerability from cvelistv5 – Published: 2026-05-14 13:00 – Updated: 2026-05-14 15:30

Title

PostgreSQL timeofday() can disclose portions of server memory

Summary

Externally-controlled format string in PostgreSQL timeofday() function allows an attacker to retrieve portions of server memory, via crafted timezone zones. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

Severity

4.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CWE

CWE-134 - Use of Externally-Controlled Format String

Assigner

PostgreSQL

References

1 reference

URL	Tags
https://www.postgresql.org/support/security/CVE-2…

Impacted products

1 product

Vendor	Product	Version
n/a	PostgreSQL	Affected: 18 , < 18.4 (rpm) Affected: 17 , < 17.10 (rpm) Affected: 16 , < 16.14 (rpm) Affected: 15 , < 15.18 (rpm) Affected: 0 , < 14.23 (rpm)

Credits

The PostgreSQL project thanks Xint Code for reporting this problem.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-6474",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-14T15:30:17.967244Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-14T15:30:37.425Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "PostgreSQL",
          "vendor": "n/a",
          "versions": [
            {
              "lessThan": "18.4",
              "status": "affected",
              "version": "18",
              "versionType": "rpm"
            },
            {
              "lessThan": "17.10",
              "status": "affected",
              "version": "17",
              "versionType": "rpm"
            },
            {
              "lessThan": "16.14",
              "status": "affected",
              "version": "16",
              "versionType": "rpm"
            },
            {
              "lessThan": "15.18",
              "status": "affected",
              "version": "15",
              "versionType": "rpm"
            },
            {
              "lessThan": "14.23",
              "status": "affected",
              "version": "0",
              "versionType": "rpm"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "The PostgreSQL project thanks Xint Code for reporting this problem."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Externally-controlled format string in PostgreSQL timeofday() function allows an attacker to retrieve portions of server memory, via crafted timezone zones.  Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-134",
              "description": "Use of Externally-Controlled Format String",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-14T13:00:10.254Z",
        "orgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007",
        "shortName": "PostgreSQL"
      },
      "references": [
        {
          "url": "https://www.postgresql.org/support/security/CVE-2026-6474/"
        }
      ],
      "title": "PostgreSQL timeofday() can disclose portions of server memory"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007",
    "assignerShortName": "PostgreSQL",
    "cveId": "CVE-2026-6474",
    "datePublished": "2026-05-14T13:00:10.254Z",
    "dateReserved": "2026-04-17T00:36:25.451Z",
    "dateUpdated": "2026-05-14T15:30:37.425Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-6475 (GCVE-0-2026-6475)

Vulnerability from cvelistv5 – Published: 2026-05-14 13:00 – Updated: 2026-05-15 03:56

Title

PostgreSQL pg_basebackup and pg_rewind can overwrite unrelated files of origin superuser choice

Summary

Symlink following in PostgreSQL pg_basebackup plain format and in pg_rewind allows an origin superuser to overwrite local files, e.g. /var/lib/postgres/.bashrc, that hijack the operating system account. It will remain the case that starting the server after these commands implicitly trusts the origin superuser, due to features like shared_preload_libraries. Hence, the attack has practical implications only if one takes relevant action between these commands and server start, like moving the files to a different VM or snapshotting the VM. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

Severity

8.8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-61 - UNIX Symbolic Link (Symlink) Following

Assigner

PostgreSQL

References

1 reference

URL	Tags
https://www.postgresql.org/support/security/CVE-2…

Impacted products

1 product

Vendor	Product	Version
n/a	PostgreSQL	Affected: 18 , < 18.4 (rpm) Affected: 17 , < 17.10 (rpm) Affected: 16 , < 16.14 (rpm) Affected: 15 , < 15.18 (rpm) Affected: 0 , < 14.23 (rpm)

Credits

The PostgreSQL project thanks Valery Gubanov, XlabAI Team of Tencent Xuanwu Lab, Atuin Automated Vulnerability Discovery Engine, Zhanpeng Liu (pkugenuine(at)gmail(dot)com), Guannan Wang (wgnbuaa(at)gmail(dot)com), and Guancheng Li (lgcpku(at)gmail(dot)com) for reporting this problem.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-6475",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-14T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-15T03:56:16.367Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "PostgreSQL",
          "vendor": "n/a",
          "versions": [
            {
              "lessThan": "18.4",
              "status": "affected",
              "version": "18",
              "versionType": "rpm"
            },
            {
              "lessThan": "17.10",
              "status": "affected",
              "version": "17",
              "versionType": "rpm"
            },
            {
              "lessThan": "16.14",
              "status": "affected",
              "version": "16",
              "versionType": "rpm"
            },
            {
              "lessThan": "15.18",
              "status": "affected",
              "version": "15",
              "versionType": "rpm"
            },
            {
              "lessThan": "14.23",
              "status": "affected",
              "version": "0",
              "versionType": "rpm"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "The PostgreSQL project thanks Valery Gubanov, XlabAI Team of Tencent Xuanwu Lab, Atuin Automated Vulnerability Discovery Engine, Zhanpeng Liu (pkugenuine(at)gmail(dot)com), Guannan Wang (wgnbuaa(at)gmail(dot)com), and Guancheng Li (lgcpku(at)gmail(dot)com) for reporting this problem."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Symlink following in PostgreSQL pg_basebackup plain format and in pg_rewind allows an origin superuser to overwrite local files, e.g. /var/lib/postgres/.bashrc, that hijack the operating system account.  It will remain the case that starting the server after these commands implicitly trusts the origin superuser, due to features like shared_preload_libraries.  Hence, the attack has practical implications only if one takes relevant action between these commands and server start, like moving the files to a different VM or snapshotting the VM.  Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-61",
              "description": "UNIX Symbolic Link (Symlink) Following",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-14T13:00:11.039Z",
        "orgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007",
        "shortName": "PostgreSQL"
      },
      "references": [
        {
          "url": "https://www.postgresql.org/support/security/CVE-2026-6475/"
        }
      ],
      "title": "PostgreSQL pg_basebackup and pg_rewind can overwrite unrelated files of origin superuser choice"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007",
    "assignerShortName": "PostgreSQL",
    "cveId": "CVE-2026-6475",
    "datePublished": "2026-05-14T13:00:11.039Z",
    "dateReserved": "2026-04-17T00:43:21.782Z",
    "dateUpdated": "2026-05-15T03:56:16.367Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-6476 (GCVE-0-2026-6476)

Vulnerability from cvelistv5 – Published: 2026-05-14 13:00 – Updated: 2026-05-15 03:56

Title

PostgreSQL pg_createsubscriber allows SQL injection via subscription name

Summary

SQL injection in PostgreSQL pg_createsubscriber allows an attacker with pg_create_subscription rights to execute arbitrary SQL as a superuser. The attack takes effect when pg_createsubscriber next runs. Within major versions 17 and 18, minor versions before PostgreSQL 18.4 and 17.10 are affected. Versions before PostgreSQL 17 are unaffected.

Severity

7.2 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Assigner

PostgreSQL

References

1 reference

URL	Tags
https://www.postgresql.org/support/security/CVE-2…

Impacted products

1 product

Vendor	Product	Version
n/a	PostgreSQL	Affected: 18 , < 18.4 (rpm) Affected: 17 , < 17.10 (rpm)

Credits

The PostgreSQL project thanks Yu Kunpeng for reporting this problem.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-6476",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-14T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-15T03:56:17.580Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "PostgreSQL",
          "vendor": "n/a",
          "versions": [
            {
              "lessThan": "18.4",
              "status": "affected",
              "version": "18",
              "versionType": "rpm"
            },
            {
              "lessThan": "17.10",
              "status": "affected",
              "version": "17",
              "versionType": "rpm"
            }
          ]
        }
      ],
      "configurations": [
        {
          "lang": "en",
          "value": "attacker has pg_create_subscription rights"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "The PostgreSQL project thanks Yu Kunpeng for reporting this problem."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "SQL injection in PostgreSQL pg_createsubscriber allows an attacker with pg_create_subscription rights to execute arbitrary SQL as a superuser.  The attack takes effect when pg_createsubscriber next runs.  Within major versions 17 and 18, minor versions before PostgreSQL 18.4 and 17.10 are affected.  Versions before PostgreSQL 17 are unaffected."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.2,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-89",
              "description": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-14T13:00:11.865Z",
        "orgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007",
        "shortName": "PostgreSQL"
      },
      "references": [
        {
          "url": "https://www.postgresql.org/support/security/CVE-2026-6476/"
        }
      ],
      "title": "PostgreSQL pg_createsubscriber allows SQL injection via subscription name"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007",
    "assignerShortName": "PostgreSQL",
    "cveId": "CVE-2026-6476",
    "datePublished": "2026-05-14T13:00:11.865Z",
    "dateReserved": "2026-04-17T00:43:55.119Z",
    "dateUpdated": "2026-05-15T03:56:17.580Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-6477 (GCVE-0-2026-6477)

Vulnerability from cvelistv5 – Published: 2026-05-14 13:00 – Updated: 2026-05-15 03:56

Title

PostgreSQL libpq lo_* functions let server superuser overwrite client stack memory

Summary

Use of inherently dangerous function PQfn(..., result_is_int=0, ...) in PostgreSQL libpq lo_export(), lo_read(), lo_lseek64(), and lo_tell64() functions allows the server superuser to overwrite a client stack buffer with an arbitrarily-large response. Like gets(), PQfn(..., result_is_int=0, ...) stores arbitrary-length, server-determined data into a buffer of unspecified size. Because both the \lo_export command in psql and pg_dump call lo_read(), the server superuser can overwrite pg_dump or psql stack memory. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

Severity

8.8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-242 - Use of Inherently Dangerous Function

Assigner

PostgreSQL

References

1 reference

URL	Tags
https://www.postgresql.org/support/security/CVE-2…

Impacted products

1 product

Vendor	Product	Version
n/a	PostgreSQL	Affected: 18 , < 18.4 (rpm) Affected: 17 , < 17.10 (rpm) Affected: 16 , < 16.14 (rpm) Affected: 15 , < 15.18 (rpm) Affected: 0 , < 14.23 (rpm)

Credits

The PostgreSQL project thanks Yu Kunpeng and Martin Heistermann for reporting this problem.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-6477",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-14T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-15T03:56:18.668Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "PostgreSQL",
          "vendor": "n/a",
          "versions": [
            {
              "lessThan": "18.4",
              "status": "affected",
              "version": "18",
              "versionType": "rpm"
            },
            {
              "lessThan": "17.10",
              "status": "affected",
              "version": "17",
              "versionType": "rpm"
            },
            {
              "lessThan": "16.14",
              "status": "affected",
              "version": "16",
              "versionType": "rpm"
            },
            {
              "lessThan": "15.18",
              "status": "affected",
              "version": "15",
              "versionType": "rpm"
            },
            {
              "lessThan": "14.23",
              "status": "affected",
              "version": "0",
              "versionType": "rpm"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "The PostgreSQL project thanks Yu Kunpeng and Martin Heistermann for reporting this problem."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Use of inherently dangerous function PQfn(..., result_is_int=0, ...) in PostgreSQL libpq lo_export(), lo_read(), lo_lseek64(), and lo_tell64() functions allows the server superuser to overwrite a client stack buffer with an arbitrarily-large response.  Like gets(), PQfn(..., result_is_int=0, ...) stores arbitrary-length, server-determined data into a buffer of unspecified size.  Because both the \\lo_export command in psql and pg_dump call lo_read(), the server superuser can overwrite pg_dump or psql stack memory.  Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-242",
              "description": "Use of Inherently Dangerous Function",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-14T13:00:12.497Z",
        "orgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007",
        "shortName": "PostgreSQL"
      },
      "references": [
        {
          "url": "https://www.postgresql.org/support/security/CVE-2026-6477/"
        }
      ],
      "title": "PostgreSQL libpq lo_* functions let server superuser overwrite client stack memory",
      "workarounds": [
        {
          "lang": "en",
          "value": "use PQexecPrepared(), not PQfn(..., result_is_int=0, ...) or its lo_* wrappers"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007",
    "assignerShortName": "PostgreSQL",
    "cveId": "CVE-2026-6477",
    "datePublished": "2026-05-14T13:00:12.497Z",
    "dateReserved": "2026-04-17T00:44:19.965Z",
    "dateUpdated": "2026-05-15T03:56:18.668Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-6478 (GCVE-0-2026-6478)

Vulnerability from cvelistv5 – Published: 2026-05-14 13:00 – Updated: 2026-05-14 15:33

Title

PostgreSQL discloses MD5-hashed passwords via covert timing channel

Summary

Covert timing channel in comparison of MD5-hashed password in PostgreSQL authentication allows an attacker to recover user credentials sufficient to authenticate. This does not affect scram-sha-256 passwords, the default in all supported releases. However, current databases may have MD5-hashed passwords originating in upgrades from PostgreSQL 13 or earlier. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

Severity

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CWE

CWE-385 - Covert Timing Channel

Assigner

PostgreSQL

References

1 reference

URL	Tags
https://www.postgresql.org/support/security/CVE-2…

Impacted products

1 product

Vendor	Product	Version
n/a	PostgreSQL	Affected: 18 , < 18.4 (rpm) Affected: 17 , < 17.10 (rpm) Affected: 16 , < 16.14 (rpm) Affected: 15 , < 15.18 (rpm) Affected: 0 , < 14.23 (rpm)

Credits

The PostgreSQL project thanks Joe Conway for reporting this problem.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-6478",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-14T15:32:42.868340Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-14T15:33:03.332Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "PostgreSQL",
          "vendor": "n/a",
          "versions": [
            {
              "lessThan": "18.4",
              "status": "affected",
              "version": "18",
              "versionType": "rpm"
            },
            {
              "lessThan": "17.10",
              "status": "affected",
              "version": "17",
              "versionType": "rpm"
            },
            {
              "lessThan": "16.14",
              "status": "affected",
              "version": "16",
              "versionType": "rpm"
            },
            {
              "lessThan": "15.18",
              "status": "affected",
              "version": "15",
              "versionType": "rpm"
            },
            {
              "lessThan": "14.23",
              "status": "affected",
              "version": "0",
              "versionType": "rpm"
            }
          ]
        }
      ],
      "configurations": [
        {
          "lang": "en",
          "value": "victim user has a usable MD5 password"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "The PostgreSQL project thanks Joe Conway for reporting this problem."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Covert timing channel in comparison of MD5-hashed password in PostgreSQL authentication allows an attacker to recover user credentials sufficient to authenticate.  This does not affect scram-sha-256 passwords, the default in all supported releases.  However, current databases may have MD5-hashed passwords originating in upgrades from PostgreSQL 13 or earlier.  Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-385",
              "description": "Covert Timing Channel",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-14T13:00:13.174Z",
        "orgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007",
        "shortName": "PostgreSQL"
      },
      "references": [
        {
          "url": "https://www.postgresql.org/support/security/CVE-2026-6478/"
        }
      ],
      "title": "PostgreSQL discloses MD5-hashed passwords via covert timing channel",
      "workarounds": [
        {
          "lang": "en",
          "value": "reset password with password_encryption=scram-sha-256"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007",
    "assignerShortName": "PostgreSQL",
    "cveId": "CVE-2026-6478",
    "datePublished": "2026-05-14T13:00:13.174Z",
    "dateReserved": "2026-04-17T00:44:57.549Z",
    "dateUpdated": "2026-05-14T15:33:03.332Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-6479 (GCVE-0-2026-6479)

Vulnerability from cvelistv5 – Published: 2026-05-14 13:00 – Updated: 2026-05-14 15:26

Title

PostgreSQL SSL/GSS init causes denial of service, via uncontrolled recursion

Summary

Uncontrolled recursion in PostgreSQL SSL and GSS negotiation allows an attacker able to connect to a PostgreSQL AF_UNIX socket to achieve sustained denial of service. If SSL and GSS are both disabled, an attacker can do the same via access to a PostgreSQL TCP socket. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

Severity

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-674 - Uncontrolled Recursion

Assigner

PostgreSQL

References

1 reference

URL	Tags
https://www.postgresql.org/support/security/CVE-2…

Impacted products

1 product

Vendor	Product	Version
n/a	PostgreSQL	Affected: 18 , < 18.4 (rpm) Affected: 17 , < 17.10 (rpm) Affected: 16 , < 16.14 (rpm) Affected: 15 , < 15.18 (rpm) Affected: 0 , < 14.23 (rpm)

Credits

The PostgreSQL project thanks Calif.io in collaboration with Claude and Anthropic Research for reporting this problem.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-6479",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-14T15:26:13.223741Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-14T15:26:20.166Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "PostgreSQL",
          "vendor": "n/a",
          "versions": [
            {
              "lessThan": "18.4",
              "status": "affected",
              "version": "18",
              "versionType": "rpm"
            },
            {
              "lessThan": "17.10",
              "status": "affected",
              "version": "17",
              "versionType": "rpm"
            },
            {
              "lessThan": "16.14",
              "status": "affected",
              "version": "16",
              "versionType": "rpm"
            },
            {
              "lessThan": "15.18",
              "status": "affected",
              "version": "15",
              "versionType": "rpm"
            },
            {
              "lessThan": "14.23",
              "status": "affected",
              "version": "0",
              "versionType": "rpm"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "The PostgreSQL project thanks Calif.io in collaboration with Claude and Anthropic Research for reporting this problem."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Uncontrolled recursion in PostgreSQL SSL and GSS negotiation allows an attacker able to connect to a PostgreSQL AF_UNIX socket to achieve sustained denial of service.  If SSL and GSS are both disabled, an attacker can do the same via access to a PostgreSQL TCP socket.  Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-674",
              "description": "Uncontrolled Recursion",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-14T13:00:13.859Z",
        "orgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007",
        "shortName": "PostgreSQL"
      },
      "references": [
        {
          "url": "https://www.postgresql.org/support/security/CVE-2026-6479/"
        }
      ],
      "title": "PostgreSQL SSL/GSS init causes denial of service, via uncontrolled recursion",
      "workarounds": [
        {
          "lang": "en",
          "value": "enable SSL and/or GSS; disable unix_socket_directories"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007",
    "assignerShortName": "PostgreSQL",
    "cveId": "CVE-2026-6479",
    "datePublished": "2026-05-14T13:00:13.859Z",
    "dateReserved": "2026-04-17T00:45:37.869Z",
    "dateUpdated": "2026-05-14T15:26:20.166Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-6575 (GCVE-0-2026-6575)

Vulnerability from cvelistv5 – Published: 2026-05-14 13:00 – Updated: 2026-05-14 15:26

Title

PostgreSQL pg_restore_attribute_stats accepts values that cause query planning to read past end of stats array

Summary

Buffer over-read in PostgreSQL function pg_restore_attribute_stats() accepts array values of unmatched length, which causes query planning to read past end of one array. This allows a table maintainer to infer memory values past that array end. Within major version 18, minor versions before PostgreSQL 18.4 are affected. Versions before PostgreSQL 18 are unaffected.

Severity

4.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CWE

CWE-126 - Buffer Over-read

Assigner

PostgreSQL

References

1 reference

URL	Tags
https://www.postgresql.org/support/security/CVE-2…

Impacted products

1 product

Vendor	Product	Version
n/a	PostgreSQL	Affected: 18 , < 18.4 (rpm)

Credits

The PostgreSQL project thanks Jeroen Gui for reporting this problem.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-6575",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-14T15:26:33.401571Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-14T15:26:40.715Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "PostgreSQL",
          "vendor": "n/a",
          "versions": [
            {
              "lessThan": "18.4",
              "status": "affected",
              "version": "18",
              "versionType": "rpm"
            }
          ]
        }
      ],
      "configurations": [
        {
          "lang": "en",
          "value": "attacker has permission to create objects (temporary objects or non-temporary objects in at least one schema) or permission to maintain an existing table"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "The PostgreSQL project thanks Jeroen Gui for reporting this problem."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Buffer over-read in PostgreSQL function pg_restore_attribute_stats() accepts array values of unmatched length, which causes query planning to read past end of one array.  This allows a table maintainer to infer memory values past that array end.  Within major version 18, minor versions before PostgreSQL 18.4 are affected.  Versions before PostgreSQL 18 are unaffected."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-126",
              "description": "Buffer Over-read",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-14T13:00:14.542Z",
        "orgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007",
        "shortName": "PostgreSQL"
      },
      "references": [
        {
          "url": "https://www.postgresql.org/support/security/CVE-2026-6575/"
        }
      ],
      "title": "PostgreSQL pg_restore_attribute_stats accepts values that cause query planning to read past end of stats array"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007",
    "assignerShortName": "PostgreSQL",
    "cveId": "CVE-2026-6575",
    "datePublished": "2026-05-14T13:00:14.542Z",
    "dateReserved": "2026-04-19T00:06:35.060Z",
    "dateUpdated": "2026-05-14T15:26:40.715Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-6637 (GCVE-0-2026-6637)

Vulnerability from cvelistv5 – Published: 2026-05-14 13:00 – Updated: 2026-05-15 03:56

Title

PostgreSQL refint allows stack buffer overflow and SQL injection

Summary

Stack buffer overflow in PostgreSQL module "refint" allows an unprivileged database user to execute arbitrary code as the operating system user running the database. A distinct attack is possible if the application declares a user-controlled column as a "refint" cascade primary key and facilitates user-controlled updates to that column. In that case, a SQL injection allows a primary key update value provider to execute arbitrary SQL as the database user performing the primary key update. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

Severity

8.8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-121 - Stack-based Buffer Overflow
CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Assigner

PostgreSQL

References

1 reference

URL	Tags
https://www.postgresql.org/support/security/CVE-2…

Impacted products

1 product

Vendor	Product	Version
n/a	PostgreSQL	Affected: 18 , < 18.4 (rpm) Affected: 17 , < 17.10 (rpm) Affected: 16 , < 16.14 (rpm) Affected: 15 , < 15.18 (rpm) Affected: 0 , < 14.23 (rpm)

Credits

The PostgreSQL project thanks Nikolay Samokhvalov for reporting this problem.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-6637",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-14T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-15T03:56:19.781Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "PostgreSQL",
          "vendor": "n/a",
          "versions": [
            {
              "lessThan": "18.4",
              "status": "affected",
              "version": "18",
              "versionType": "rpm"
            },
            {
              "lessThan": "17.10",
              "status": "affected",
              "version": "17",
              "versionType": "rpm"
            },
            {
              "lessThan": "16.14",
              "status": "affected",
              "version": "16",
              "versionType": "rpm"
            },
            {
              "lessThan": "15.18",
              "status": "affected",
              "version": "15",
              "versionType": "rpm"
            },
            {
              "lessThan": "14.23",
              "status": "affected",
              "version": "0",
              "versionType": "rpm"
            }
          ]
        }
      ],
      "configurations": [
        {
          "lang": "en",
          "value": "superuser previously installed the refint extension"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "The PostgreSQL project thanks Nikolay Samokhvalov for reporting this problem."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Stack buffer overflow in PostgreSQL module \"refint\" allows an unprivileged database user to execute arbitrary code as the operating system user running the database.  A distinct attack is possible if the application declares a user-controlled column as a \"refint\" cascade primary key and facilitates user-controlled updates to that column.  In that case, a SQL injection allows a primary key update value provider to execute arbitrary SQL as the database user performing the primary key update.  Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-121",
              "description": "Stack-based Buffer Overflow",
              "lang": "en",
              "type": "CWE"
            },
            {
              "cweId": "CWE-89",
              "description": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-14T13:00:15.223Z",
        "orgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007",
        "shortName": "PostgreSQL"
      },
      "references": [
        {
          "url": "https://www.postgresql.org/support/security/CVE-2026-6637/"
        }
      ],
      "title": "PostgreSQL refint allows stack buffer overflow and SQL injection"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007",
    "assignerShortName": "PostgreSQL",
    "cveId": "CVE-2026-6637",
    "datePublished": "2026-05-14T13:00:15.223Z",
    "dateReserved": "2026-04-19T19:58:20.340Z",
    "dateUpdated": "2026-05-15T03:56:19.781Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

WID-SEC-W-2026-1544

CVE-2026-6472 (GCVE-0-2026-6472)

CVE-2026-6473 (GCVE-0-2026-6473)

CVE-2026-6474 (GCVE-0-2026-6474)

CVE-2026-6475 (GCVE-0-2026-6475)

CVE-2026-6476 (GCVE-0-2026-6476)

CVE-2026-6477 (GCVE-0-2026-6477)

CVE-2026-6478 (GCVE-0-2026-6478)

CVE-2026-6479 (GCVE-0-2026-6479)

CVE-2026-6575 (GCVE-0-2026-6575)

CVE-2026-6637 (GCVE-0-2026-6637)

Tags

Sightings

Nomenclature