CVE-2026-6474

EUVD-2026-30280
Externally-controlled format string in PostgreSQL timeofday() function allows an attacker to retrieve portions of server memory, via crafted timezone zones.  Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
4.3 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Debian logo
Debian Releases
Debian Product
Codename
postgresql-13
bullseye
vulnerable
bullseye (security)
vulnerable
postgresql-15
bookworm
vulnerable
bookworm (security)
15.18-0+deb12u1
fixed
postgresql-17
trixie
vulnerable
trixie (security)
17.10-0+deb13u1
fixed
postgresql-18
forky
vulnerable
sid
18.4-1
fixed
Common Weakness Enumeration
References
https://www.postgresql.org/support/security/CVE-2026-6474/