CVE-2026-6475

CVE-2026-6473 - Integer Wraparound / Out-of-Bounds Write Multiple server features fail to guard against integer overflow in size calculations, allowing an attacker who can supply application input to cause an undersized heap allocation. The server then writes past the end of that buffer, resulting in a segmentation fault or, with careful heap manipulation, potential code execution. CVE-2026-6637 - refint Stack Buffer Overflow & SQL Injection The refint contrib module (referential integrity triggers) contains a fixed-size stack buffer that can be overflowed by a long column name. An unprivileged database user can trigger this to execute arbitrary code as the OS user running PostgreSQL. A secondary SQL injection path exists when applications expose user-controlled refint cascade primary key columns. CVE-2026-6477 - libpq lo_ Client Stack Buffer Overflow The PQfn() function used internally by lo_export(), lo_read(), lo_lseek64(), and lo_tell64() stores server-returned data of arbitrary length into an unspecified-size stack buffer, analogous to the deprecated gets() function. A malicious or compromised server can overflow the client stack when these functions are called, affecting psql and pg_dump. CVE-2026-6475 - pg_basebackup / pg_rewind Symlink Following Symlink following in pg_basebackup (plain format) and pg_rewind allows an origin server superuser to overwrite arbitrary files on the machine running the utility, such as shell profile files, which can be used to hijack the OS account when the server process subsequently starts.

EPSS 0.05% · 15.5th percentile