CVE Vulnerabilities

CVE-2026-6474

Use of Externally-Controlled Format String

Published: May 14, 2026 | Modified: May 18, 2026
CVSS 3.x
N/A
Source:
NVD
CVSS 2.x
RedHat/V2
RedHat/V3
4.3 MODERATE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Ubuntu
MEDIUM
root.io logo minimus.io logo echo.ai logo

Externally-controlled format string in PostgreSQL timeofday() function allows an attacker to retrieve portions of server memory, via crafted timezone zones. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

Weakness

The product uses a function that accepts a format string as an argument, but the format string originates from an external source.

Affected Software

NameVendorStart VersionEnd Version
PostgresqlPostgresql*14.23 (excluding)
PostgresqlPostgresql15.0 (including)15.18 (excluding)
PostgresqlPostgresql16.0 (including)16.14 (excluding)
PostgresqlPostgresql17.0 (including)17.10 (excluding)
PostgresqlPostgresql18.0 (including)18.4 (excluding)
Red Hat Hardened ImagesRedHatpostgresql18-main-18.4-0.1.hum1*
Postgresql-10Ubuntuupstream*
Postgresql-12Ubuntuupstream*
Postgresql-14Ubuntujammy*
Postgresql-16Ubuntunoble*
Postgresql-17Ubuntuquesting*
Postgresql-18Ubuntudevel*
Postgresql-18Ubunturesolute*
Postgresql-9.3Ubuntuupstream*
Postgresql-9.5Ubuntuupstream*

Potential Mitigations

References