CVE-2026-6575

EUVD-2026-30287
Buffer over-read in PostgreSQL function pg_restore_attribute_stats() accepts array values of unmatched length, which causes query planning to read past end of one array.  This allows a table maintainer to infer memory values past that array end.  Within major version 18, minor versions before PostgreSQL 18.4 are affected.  Versions before PostgreSQL 18 are unaffected.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
4.3 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 10%
Affected Products (NVD)
VendorProductVersion
postgresqlpostgresql
18.0 ≤
𝑥
< 18.4
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
postgresql-18
forky
18.4-1
fixed
sid
18.4-1
fixed
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
libecpg6
suse enterprise sap 15 SP7
18.4-150600.13.11.1
fixed
suse enterprise server 12 SP5
18.4-8.12.1
fixed
suse enterprise server 15 SP4
18.4-150200.5.12.1
fixed
suse enterprise server 15 SP5
18.4-150200.5.12.1
fixed
suse enterprise server 15 SP6
18.4-150600.13.11.1
fixed
suse enterprise server 15 SP7
18.4-150600.13.11.1
fixed
libecpg6-32bit
suse enterprise server 12 SP5
18.4-8.12.1
fixed
libpq5
suse enterprise desktop 15 SP7
18.4-150600.13.11.1
fixed
suse enterprise sap 15 SP7
18.4-150600.13.11.1
fixed
suse enterprise server 12 SP5
18.4-8.12.1
fixed
suse enterprise server 15 SP4
18.4-150200.5.12.1
fixed
suse enterprise server 15 SP5
18.4-150200.5.12.1
fixed
suse enterprise server 15 SP6
18.4-150600.13.11.1
fixed
suse enterprise server 15 SP7
18.4-150600.13.11.1
fixed
libpq5-32bit
suse enterprise desktop 15 SP7
18.4-150600.13.11.1
fixed
suse enterprise sap 15 SP7
18.4-150600.13.11.1
fixed
suse enterprise server 12 SP5
18.4-8.12.1
fixed
suse enterprise server 15 SP4
18.4-150200.5.12.1
fixed
suse enterprise server 15 SP5
18.4-150200.5.12.1
fixed
suse enterprise server 15 SP6
18.4-150600.13.11.1
fixed
suse enterprise server 15 SP7
18.4-150600.13.11.1
fixed
postgresql18
suse enterprise desktop 15 SP7
18.4-150600.13.11.1
fixed
suse enterprise sap 15 SP7
18.4-150600.13.11.1
fixed
suse enterprise server 15 SP6
18.4-150600.13.11.1
fixed
suse enterprise server 15 SP7
18.4-150600.13.11.1
fixed
postgresql18-contrib
suse enterprise sap 15 SP7
18.4-150600.13.11.1
fixed
suse enterprise server 15 SP6
18.4-150600.13.11.1
fixed
suse enterprise server 15 SP7
18.4-150600.13.11.1
fixed
postgresql18-devel
suse enterprise sap 15 SP7
18.4-150600.13.11.1
fixed
suse enterprise server 15 SP6
18.4-150600.13.11.1
fixed
suse enterprise server 15 SP7
18.4-150600.13.11.1
fixed
postgresql18-docs
suse enterprise sap 15 SP7
18.4-150600.13.11.1
fixed
suse enterprise server 15 SP6
18.4-150600.13.11.1
fixed
suse enterprise server 15 SP7
18.4-150600.13.11.1
fixed
postgresql18-plperl
suse enterprise sap 15 SP7
18.4-150600.13.11.1
fixed
suse enterprise server 15 SP6
18.4-150600.13.11.1
fixed
suse enterprise server 15 SP7
18.4-150600.13.11.1
fixed
postgresql18-plpython
suse enterprise sap 15 SP7
18.4-150600.13.11.1
fixed
suse enterprise server 15 SP6
18.4-150600.13.11.1
fixed
suse enterprise server 15 SP7
18.4-150600.13.11.1
fixed
postgresql18-pltcl
suse enterprise sap 15 SP7
18.4-150600.13.11.1
fixed
suse enterprise server 15 SP6
18.4-150600.13.11.1
fixed
suse enterprise server 15 SP7
18.4-150600.13.11.1
fixed
postgresql18-server
suse enterprise sap 15 SP7
18.4-150600.13.11.1
fixed
suse enterprise server 15 SP6
18.4-150600.13.11.1
fixed
suse enterprise server 15 SP7
18.4-150600.13.11.1
fixed
postgresql18-server-devel
suse enterprise sap 15 SP7
18.4-150600.13.11.1
fixed
suse enterprise server 15 SP6
18.4-150600.13.11.1
fixed
suse enterprise server 15 SP7
18.4-150600.13.11.1
fixed
Amazon Linux logo
Amazon Linux Releases
Amazon Package
Release
postgresql18
Amazon Linux 2023
0:18.4-1.amzn2023.0.1
fixed
postgresql18-contrib
Amazon Linux 2023
0:18.4-1.amzn2023.0.1
fixed
postgresql18-contrib-debuginfo
Amazon Linux 2023
0:18.4-1.amzn2023.0.1
fixed
postgresql18-debuginfo
Amazon Linux 2023
0:18.4-1.amzn2023.0.1
fixed
postgresql18-debugsource
Amazon Linux 2023
0:18.4-1.amzn2023.0.1
fixed
postgresql18-docs
Amazon Linux 2023
0:18.4-1.amzn2023.0.1
fixed
postgresql18-docs-debuginfo
Amazon Linux 2023
0:18.4-1.amzn2023.0.1
fixed
postgresql18-llvmjit
Amazon Linux 2023
0:18.4-1.amzn2023.0.1
fixed
postgresql18-llvmjit-debuginfo
Amazon Linux 2023
0:18.4-1.amzn2023.0.1
fixed
postgresql18-plperl
Amazon Linux 2023
0:18.4-1.amzn2023.0.1
fixed
postgresql18-plperl-debuginfo
Amazon Linux 2023
0:18.4-1.amzn2023.0.1
fixed
postgresql18-plpython3
Amazon Linux 2023
0:18.4-1.amzn2023.0.1
fixed
postgresql18-plpython3-debuginfo
Amazon Linux 2023
0:18.4-1.amzn2023.0.1
fixed
postgresql18-pltcl
Amazon Linux 2023
0:18.4-1.amzn2023.0.1
fixed
postgresql18-pltcl-debuginfo
Amazon Linux 2023
0:18.4-1.amzn2023.0.1
fixed
postgresql18-private-devel
Amazon Linux 2023
0:18.4-1.amzn2023.0.1
fixed
postgresql18-private-libs
Amazon Linux 2023
0:18.4-1.amzn2023.0.1
fixed
postgresql18-private-libs-debuginfo
Amazon Linux 2023
0:18.4-1.amzn2023.0.1
fixed
postgresql18-server
Amazon Linux 2023
0:18.4-1.amzn2023.0.1
fixed
postgresql18-server-debuginfo
Amazon Linux 2023
0:18.4-1.amzn2023.0.1
fixed
postgresql18-server-devel
Amazon Linux 2023
0:18.4-1.amzn2023.0.1
fixed
postgresql18-server-devel-debuginfo
Amazon Linux 2023
0:18.4-1.amzn2023.0.1
fixed
postgresql18-static
Amazon Linux 2023
0:18.4-1.amzn2023.0.1
fixed
postgresql18-test
Amazon Linux 2023
0:18.4-1.amzn2023.0.1
fixed
postgresql18-test-debuginfo
Amazon Linux 2023
0:18.4-1.amzn2023.0.1
fixed
postgresql18-test-rpm-macros
Amazon Linux 2023
0:18.4-1.amzn2023.0.1
fixed
postgresql18-upgrade
Amazon Linux 2023
0:18.4-1.amzn2023.0.1
fixed
postgresql18-upgrade-debuginfo
Amazon Linux 2023
0:18.4-1.amzn2023.0.1
fixed
postgresql18-upgrade-devel
Amazon Linux 2023
0:18.4-1.amzn2023.0.1
fixed
postgresql18-upgrade-devel-debuginfo
Amazon Linux 2023
0:18.4-1.amzn2023.0.1
fixed
Common Weakness Enumeration
Vulnerability Media Exposure
References
https://www.postgresql.org/support/security/CVE-2026-6575/