CVE-2026-6477

HIGH

PostgreSQL libpq lo_* functions let server superuser overwrite client stack memory

Title source: cna
STIX 2.1

Description

Use of inherently dangerous function PQfn(..., result_is_int=0, ...) in PostgreSQL libpq lo_export(), lo_read(), lo_lseek64(), and lo_tell64() functions allows the server superuser to overwrite a client stack buffer with an arbitrarily-large response. Like gets(), PQfn(..., result_is_int=0, ...) stores arbitrary-length, server-determined data into a buffer of unspecified size. Because both the \lo_export command in psql and pg_dump call lo_read(), the server superuser can overwrite pg_dump or psql stack memory. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

References (30)

Core 30
Core References

Scores

CVSS v3 8.8
EPSS 0.0046
EPSS Percentile 37.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-120 CWE-242
Status published
Products (6)
None/PostgreSQL < 14.23
None/PostgreSQL 15 - 15.18
None/PostgreSQL 16 - 16.14
None/PostgreSQL 17 - 17.10
None/PostgreSQL 18 - 18.4
postgresql/postgresql < 14.23
Published May 14, 2026
Tracked Since May 14, 2026