8.8

CVE-2026-6477

Medienbericht

PostgreSQL libpq lo_* functions let server superuser overwrite client stack memory

Use of inherently dangerous function PQfn(..., result_is_int=0, ...) in PostgreSQL libpq lo_export(), lo_read(), lo_lseek64(), and lo_tell64() functions allows the server superuser to overwrite a client stack buffer with an arbitrarily-large response.  Like gets(), PQfn(..., result_is_int=0, ...) stores arbitrary-length, server-determined data into a buffer of unspecified size.  Because both the \lo_export command in psql and pg_dump call lo_read(), the server superuser can overwrite pg_dump or psql stack memory.  Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
PostgresqlPostgresql Version < 14.23
PostgresqlPostgresql Version >= 15.0 < 15.18
PostgresqlPostgresql Version >= 16.0 < 16.14
PostgresqlPostgresql Version >= 17.0 < 17.10
PostgresqlPostgresql Version >= 18.0 < 18.4
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.46% 0.368
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
f86ef6dc-4d3a-42ad-8f28-e6d5547a5007 8.8 2.8 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
0b0ca135-0b70-47e7-9f44-1890c2a1c46c 8.4 1.7 6
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H
CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer.

CWE-242 Use of Inherently Dangerous Function

The product calls a function that can never be guaranteed to work safely.

Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
VulnDex Intel
Media Report
18.05.2026 14:45
https://www.postgresql.org/support/security/CVE-2026-6477/
Patch
Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:22878
https://access.redhat.com/errata/RHSA-2026:26181
https://access.redhat.com/errata/RHSA-2026:26203
https://access.redhat.com/errata/RHSA-2026:26204
https://access.redhat.com/errata/RHSA-2026:26524
https://access.redhat.com/errata/RHSA-2026:26525
https://access.redhat.com/errata/RHSA-2026:26561
https://access.redhat.com/errata/RHSA-2026:27718
https://access.redhat.com/errata/RHSA-2026:27738
https://access.redhat.com/errata/RHSA-2026:27741
https://access.redhat.com/errata/RHSA-2026:27742
https://access.redhat.com/errata/RHSA-2026:27743
https://access.redhat.com/errata/RHSA-2026:28037
https://access.redhat.com/errata/RHSA-2026:29212
https://access.redhat.com/errata/RHSA-2026:29815
https://access.redhat.com/errata/RHSA-2026:29904
https://access.redhat.com/errata/RHSA-2026:29953
https://access.redhat.com/errata/RHSA-2026:32983
https://access.redhat.com/errata/RHSA-2026:32994
https://access.redhat.com/errata/RHSA-2026:21182
https://access.redhat.com/security/cve/CVE-2026-6477
https://bugzilla.redhat.com/show_bug.cgi?id=2477442
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-6477.json
https://access.redhat.com/errata/RHSA-2026:33441
https://access.redhat.com/errata/RHSA-2026:33497
https://access.redhat.com/errata/RHSA-2026:34043
https://access.redhat.com/errata/RHSA-2026:34362
https://access.redhat.com/errata/RHSA-2026:34363
https://access.redhat.com/errata/RHSA-2026:35880