CVE Vulnerabilities

CVE-2026-6477

Use of Inherently Dangerous Function

Published: May 14, 2026 | Modified: Jul 02, 2026
CVSS 3.x
N/A
Source:
NVD
CVSS 2.x
RedHat/V2
RedHat/V3
8.4 IMPORTANT
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H
Ubuntu
MEDIUM
root.io logo minimus.io logo echo.ai logo

Use of inherently dangerous function PQfn(…, result_is_int=0, …) in PostgreSQL libpq lo_export(), lo_read(), lo_lseek64(), and lo_tell64() functions allows the server superuser to overwrite a client stack buffer with an arbitrarily-large response. Like gets(), PQfn(…, result_is_int=0, …) stores arbitrary-length, server-determined data into a buffer of unspecified size. Because both the lo_export command in psql and pg_dump call lo_read(), the server superuser can overwrite pg_dump or psql stack memory. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

Weakness

The product calls a function that can never be guaranteed to work safely.

Affected Software

NameVendorStart VersionEnd Version
PostgresqlPostgresql*14.23 (excluding)
PostgresqlPostgresql15.0 (including)15.18 (excluding)
PostgresqlPostgresql16.0 (including)16.14 (excluding)
PostgresqlPostgresql17.0 (including)17.10 (excluding)
PostgresqlPostgresql18.0 (including)18.4 (excluding)
Red Hat Enterprise Linux 10RedHatpostgresql18-0:18.4-1.el10_2*
Red Hat Enterprise Linux 10RedHatpostgresql16-0:16.14-1.el10_2*
Red Hat Enterprise Linux 10.0 Extended Update SupportRedHatpostgresql16-0:16.14-1.el10_0*
Red Hat Enterprise Linux 8RedHatpostgresql:15-8100020260605152259.489197e6*
Red Hat Enterprise Linux 8RedHatlibpq-0:13.23-2.el8_10*
Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update SupportRedHatpostgresql:12-8040020260624104459.522a0ee4*
Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update SupportRedHatpostgresql:13-8040020260630100922.522a0ee4*
Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-OnRedHatpostgresql:12-8040020260624104459.522a0ee4*
Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-OnRedHatpostgresql:13-8040020260630100922.522a0ee4*
Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update SupportRedHatpostgresql:12-8060020260623094704.ad008a3a*
Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update SupportRedHatpostgresql:13-8060020260625065744.ad008a3a*
Red Hat Enterprise Linux 8.6 Extended Update Support Long-Life Add-OnRedHatpostgresql:12-8060020260623094704.ad008a3a*
Red Hat Enterprise Linux 8.6 Extended Update Support Long-Life Add-OnRedHatpostgresql:13-8060020260625065744.ad008a3a*
Red Hat Enterprise Linux 8.8 Telecommunications Update ServiceRedHatpostgresql:15-8080020260615085052.63b34585*
Red Hat Enterprise Linux 8.8 Telecommunications Update ServiceRedHatpostgresql:12-8080020260626093604.63b34585*
Red Hat Enterprise Linux 8.8 Update Services for SAP SolutionsRedHatpostgresql:15-8080020260615085052.63b34585*
Red Hat Enterprise Linux 8.8 Update Services for SAP SolutionsRedHatpostgresql:12-8080020260626093604.63b34585*
Red Hat Enterprise Linux 9RedHatpostgresql:16-9080020260605131007.rhel9*
Red Hat Enterprise Linux 9RedHatpostgresql:18-9080020260605125734.rhel9*
Red Hat Enterprise Linux 9RedHatpostgresql-0:13.23-3.el9_8*
Red Hat Enterprise Linux 9RedHatpostgresql:15-9080020260605124405.rhel9*
Red Hat Enterprise Linux 9.2 Update Services for SAP SolutionsRedHatpostgresql-0:13.23-1.el9_2.2*
Red Hat Enterprise Linux 9.2 Update Services for SAP SolutionsRedHatpostgresql:15-9020020260625101129.rhel9*
Red Hat Enterprise Linux 9.4 Update Services for SAP SolutionsRedHatpostgresql:16-9040020260612132455.rhel9*
Red Hat Enterprise Linux 9.4 Update Services for SAP SolutionsRedHatpostgresql-0:13.23-1.el9_4.2*
Red Hat Enterprise Linux 9.4 Update Services for SAP SolutionsRedHatpostgresql:15-9040020260616071806.rhel9*
Red Hat Enterprise Linux 9.6 Extended Update SupportRedHatpostgresql:16-9060020260612084605.rhel9*
Red Hat Enterprise Linux 9.6 Extended Update SupportRedHatpostgresql-0:13.23-1.el9_6.2*
Red Hat Enterprise Linux 9.6 Extended Update SupportRedHatpostgresql:15-9060020260622062902.rhel9*
Red Hat Hardened ImagesRedHatpostgresql17-main-17.10-0.1.hum1*
Red Hat Hardened ImagesRedHatpostgresql18-main-18.4-0.1.hum1*
Postgresql-10Ubuntuupstream*
Postgresql-12Ubuntuupstream*
Postgresql-14Ubuntujammy*
Postgresql-16Ubuntunoble*
Postgresql-17Ubuntuquesting*
Postgresql-18Ubuntudevel*
Postgresql-18Ubunturesolute*
Postgresql-9.3Ubuntuupstream*
Postgresql-9.5Ubuntuupstream*

Potential Mitigations

References