SB20260514108 - Debian update for postgresql-17

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB20260514108

SB20260514108 - Debian update for postgresql-17

Published: May 14, 2026

Security Bulletin ID SB20260514108
CSH Severity
High
Patch available
YES
Number of vulnerabilities 10
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 10% Medium 40% Low 50%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 10 vulnerabilities.


1) Missing Authorization (CVE-ID: CVE-2026-6472)

The vulnerability allows a remote user to execute arbitrary SQL functions in victim queries.

The vulnerability exists due to improper access control in the CREATE TYPE command when creating a multirange type without checking schema CREATE privilege. A remote user can create a crafted type to execute arbitrary SQL functions in victim queries.

The issue can hijack queries that use search_path to find user-defined types, including extension-defined types.


2) Integer overflow (CVE-ID: CVE-2026-6473)

The vulnerability allows a remote user to cause a denial of service.

The vulnerability exists due to integer overflow in multiple PostgreSQL server features when processing application-supplied input. A remote user can provide crafted input to cause a denial of service.

The integer wraparound can undersize an allocation and lead to an out-of-bounds write that results in a segmentation fault.


3) Format string error (CVE-ID: CVE-2026-6474)

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to an externally-controlled format string in the timeofday() function when processing crafted timezone zones. A remote user can supply a crafted timezone zone to disclose sensitive information.

The issue can expose portions of server memory.


4) Link following (CVE-ID: CVE-2026-6475)

The vulnerability allows a remote attacker to overwrite arbitrary local files.

The vulnerability exists due to symlink following in pg_basebackup plain format and pg_rewind when processing files from an origin server. A remote attacker can provide crafted symlinks to overwrite arbitrary local files.

User interaction is required to run pg_basebackup or pg_rewind. The attack has practical implications only if relevant action is taken before the server is started, such as moving files to a different VM or snapshotting the VM.


5) SQL injection (CVE-ID: CVE-2026-6476)

The vulnerability allows a remote user to execute arbitrary SQL as a superuser.

The vulnerability exists due to SQL injection in pg_createsubscriber when processing a subscription name. A remote privileged user can supply a crafted subscription name to execute arbitrary SQL as a superuser.

The attack takes effect when pg_createsubscriber next runs.


6) Stack-based buffer overflow (CVE-ID: CVE-2026-6477)

The vulnerability allows a remote attacker to overwrite client stack memory.

The vulnerability exists due to a stack-based buffer overflow in libpq lo_* functions when processing an arbitrarily large server response through PQfn(..., result_is_int=0, ...). A remote attacker can induce a victim client to process a crafted server response to overwrite client stack memory.

User interaction is required to invoke affected client functionality such as psql \lo_export or pg_dump. The issue affects lo_export(), lo_read(), lo_lseek64(), and lo_tell64().


7) Information Exposure Through Timing Discrepancy (CVE-ID: CVE-2026-6478)

The vulnerability allows a remote attacker to recover credentials sufficient to authenticate.

The vulnerability exists due to observable timing discrepancies in MD5-hashed password comparison during authentication. A remote attacker can measure authentication timing to recover credentials sufficient to authenticate.

The issue does not affect scram-sha-256 passwords and applies to MD5-hashed passwords that may originate from upgrades from PostgreSQL 13 or earlier.


8) Uncontrolled Recursion (CVE-ID: CVE-2026-6479)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to uncontrolled recursion in SSL and GSS negotiation when initializing connections. A remote attacker can connect to a vulnerable socket to cause a denial of service.

If SSL and GSS are both disabled, exploitation is possible via access to a PostgreSQL TCP socket. Otherwise, the attacker must be able to connect to a PostgreSQL AF_UNIX socket.


9) Stack-based buffer overflow (CVE-ID: CVE-2026-6637)

The vulnerability allows a remote user to execute arbitrary code as the operating system user running the database.

The vulnerability exists due to a stack-based buffer overflow in the refint module when processing crafted input. A remote user can supply crafted input to execute arbitrary code as the operating system user running the database.


10) SQL injection (CVE-ID: CVE-2026-6638)

The vulnerability allows a remote user to execute arbitrary SQL with the subscription's publication-side credentials.

The vulnerability exists due to SQL injection in ALTER SUBSCRIPTION ... REFRESH PUBLICATION when processing a table name. A remote user can create a crafted subscriber table name to execute arbitrary SQL with the subscription's publication-side credentials.

User interaction is required for the next REFRESH PUBLICATION to occur.


Remediation

Install update from vendor's website.

References