SB20260514106 - Multiple vulnerabilities in PostgreSQL
Published: May 14, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 11 vulnerabilities.
1) Missing Authorization (CVE-ID: CVE-2026-6472)
The vulnerability allows a remote user to execute arbitrary SQL functions in victim queries.
The vulnerability exists due to improper access control in the CREATE TYPE command when creating a multirange type without checking schema CREATE privilege. A remote user can create a crafted type to execute arbitrary SQL functions in victim queries.
The issue can hijack queries that use search_path to find user-defined types, including extension-defined types.
2) Integer overflow (CVE-ID: CVE-2026-6473)
The vulnerability allows a remote user to cause a denial of service.
The vulnerability exists due to integer overflow in multiple PostgreSQL server features when processing application-supplied input. A remote user can provide crafted input to cause a denial of service.
The integer wraparound can undersize an allocation and lead to an out-of-bounds write that results in a segmentation fault.
3) Format string error (CVE-ID: CVE-2026-6474)
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to an externally-controlled format string in the timeofday() function when processing crafted timezone zones. A remote user can supply a crafted timezone zone to disclose sensitive information.
The issue can expose portions of server memory.
4) Link following (CVE-ID: CVE-2026-6475)
The vulnerability allows a remote attacker to overwrite arbitrary local files.
The vulnerability exists due to symlink following in pg_basebackup plain format and pg_rewind when processing files from an origin server. A remote attacker can provide crafted symlinks to overwrite arbitrary local files.
User interaction is required to run pg_basebackup or pg_rewind. The attack has practical implications only if relevant action is taken before the server is started, such as moving files to a different VM or snapshotting the VM.
5) SQL injection (CVE-ID: CVE-2026-6476)
The vulnerability allows a remote user to execute arbitrary SQL as a superuser.
The vulnerability exists due to SQL injection in pg_createsubscriber when processing a subscription name. A remote privileged user can supply a crafted subscription name to execute arbitrary SQL as a superuser.
The attack takes effect when pg_createsubscriber next runs.
6) Stack-based buffer overflow (CVE-ID: CVE-2026-6477)
The vulnerability allows a remote attacker to overwrite client stack memory.
The vulnerability exists due to a stack-based buffer overflow in libpq lo_* functions when processing an arbitrarily large server response through PQfn(..., result_is_int=0, ...). A remote attacker can induce a victim client to process a crafted server response to overwrite client stack memory.
User interaction is required to invoke affected client functionality such as psql \lo_export or pg_dump. The issue affects lo_export(), lo_read(), lo_lseek64(), and lo_tell64().
7) Information Exposure Through Timing Discrepancy (CVE-ID: CVE-2026-6478)
The vulnerability allows a remote attacker to recover credentials sufficient to authenticate.
The vulnerability exists due to observable timing discrepancies in MD5-hashed password comparison during authentication. A remote attacker can measure authentication timing to recover credentials sufficient to authenticate.
The issue does not affect scram-sha-256 passwords and applies to MD5-hashed passwords that may originate from upgrades from PostgreSQL 13 or earlier.
8) Uncontrolled Recursion (CVE-ID: CVE-2026-6479)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to uncontrolled recursion in SSL and GSS negotiation when initializing connections. A remote attacker can connect to a vulnerable socket to cause a denial of service.
If SSL and GSS are both disabled, exploitation is possible via access to a PostgreSQL TCP socket. Otherwise, the attacker must be able to connect to a PostgreSQL AF_UNIX socket.
9) Out-of-bounds read (CVE-ID: CVE-2026-6575)
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to an out-of-bounds read in the pg_restore_attribute_stats() function when accepting array values of unmatched length. A remote user can supply crafted array values to disclose sensitive information.
The issue allows a table maintainer to infer memory values past the end of one stats array.
10) Stack-based buffer overflow (CVE-ID: CVE-2026-6637)
The vulnerability allows a remote user to execute arbitrary code as the operating system user running the database.
The vulnerability exists due to a stack-based buffer overflow in the refint module when processing crafted input. A remote user can supply crafted input to execute arbitrary code as the operating system user running the database.
11) SQL injection (CVE-ID: CVE-2026-6638)
The vulnerability allows a remote user to execute arbitrary SQL with the subscription's publication-side credentials.
The vulnerability exists due to SQL injection in ALTER SUBSCRIPTION ... REFRESH PUBLICATION when processing a table name. A remote user can create a crafted subscriber table name to execute arbitrary SQL with the subscription's publication-side credentials.
User interaction is required for the next REFRESH PUBLICATION to occur.
Remediation
Install update from vendor's website.
References
- https://www.postgresql.org/about/news/postgresql-184-1710-1614-1518-and-1423-released-3297/
- https://www.postgresql.org/support/security/CVE-2026-6472/
- https://www.postgresql.org/support/security/CVE-2026-6473/
- https://www.postgresql.org/support/security/CVE-2026-6474/
- https://www.postgresql.org/support/security/CVE-2026-6475/
- https://www.postgresql.org/support/security/CVE-2026-6476/
- https://www.postgresql.org/support/security/CVE-2026-6477/
- https://www.postgresql.org/support/security/CVE-2026-6478/
- https://www.postgresql.org/support/security/CVE-2026-6479/
- https://www.postgresql.org/support/security/CVE-2026-6575/
- https://www.postgresql.org/support/security/CVE-2026-6637/
- https://www.postgresql.org/support/security/CVE-2026-6638/