CVE-2026-6477

EUVD-2026-30283

14.05.2026, 14:16

Use of inherently dangerous function PQfn(..., result_is_int=0, ...) in PostgreSQL libpq lo_export(), lo_read(), lo_lseek64(), and lo_tell64() functions allows the server superuser to overwrite a client stack buffer with an arbitrarily-large response.  Like gets(), PQfn(..., result_is_int=0, ...) stores arbitrary-length, server-determined data into a buffer of unspecified size.  Because both the \lo_export command in psql and pg_dump call lo_read(), the server superuser can overwrite pg_dump or psql stack memory.  Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	8.8 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Debian Releases

Debian Product

Codename

postgresql-13

bullseye	vulnerable
bullseye (security)	vulnerable

postgresql-15

bookworm	vulnerable
bookworm (security)	15.18-0+deb12u1 fixed

postgresql-17

trixie	vulnerable
trixie (security)	17.10-0+deb13u1 fixed

postgresql-18

forky	vulnerable
sid	18.4-1 fixed

Common Weakness Enumeration

CWE-242 - Use of Inherently Dangerous Function
The program calls a function that can never be guaranteed to work safely.

References

https://www.postgresql.org/support/security/CVE-2026-6477/