CVE-2026-6477

CVE Details

Release Date:	2026-05-14
Impact:	Important	What is this?

Description

Use of inherently dangerous function PQfn(..., result_is_int=0, ...) in PostgreSQL libpq lo_export(), lo_read(), lo_lseek64(), and lo_tell64() functions allows the server superuser to overwrite a client stack buffer with an arbitrarily-large response. Like gets(), PQfn(..., result_is_int=0, ...) stores arbitrary-length, server-determined data into a buffer of unspecified size. Because both the \lo_export command in psql and pg_dump call lo_read(), the server superuser can overwrite pg_dump or psql stack memory. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

See more information about CVE-2026-6477 from MITRE CVE dictionary and NIST NVD

NOTE: The following CVSS metrics and score provided are preliminary and subject to review.

CVSS v3 metrics

Base Score:	8.4
Vector String:	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H
Version:	3.1
Attack Vector:	Network
Attack Complexity:	Low
Privileges Required:	High
User Interaction:	Required
Scope:	Changed
Confidentiality Impact:	High
Integrity Impact:	High
Availability Impact:	High

Errata information

Platform	Errata	Release Date
Oracle Linux version 8 (libpq)	ELSA-2026-27738	2026-06-22
Oracle Linux version 9 (pg_repack)	ELSA-2026-26203	2026-06-24
Oracle Linux version 9 (pg_repack)	ELSA-2026-28037	2026-06-24
Oracle Linux version 9 (pgaudit)	ELSA-2026-26203	2026-06-24
Oracle Linux version 9 (pgaudit)	ELSA-2026-28037	2026-06-24
Oracle Linux version 9 (pgvector)	ELSA-2026-26203	2026-06-24
Oracle Linux version 9 (postgis)	ELSA-2026-26203	2026-06-24
Oracle Linux version 9 (postgres-decoderbufs)	ELSA-2026-26203	2026-06-24
Oracle Linux version 9 (postgres-decoderbufs)	ELSA-2026-28037	2026-06-24
Oracle Linux version 9 (postgresql)	ELSA-2026-26203	2026-06-24
Oracle Linux version 9 (postgresql)	ELSA-2026-28037	2026-06-24