CVE Vulnerabilities

CVE-2026-6479

Uncontrolled Recursion

Published: May 14, 2026 | Modified: May 18, 2026
CVSS 3.x
N/A
Source:
NVD
CVSS 2.x
RedHat/V2
RedHat/V3
Ubuntu
MEDIUM
root.io logo minimus.io logo echo.ai logo

Uncontrolled recursion in PostgreSQL SSL and GSS negotiation allows an attacker able to connect to a PostgreSQL AF_UNIX socket to achieve sustained denial of service. If SSL and GSS are both disabled, an attacker can do the same via access to a PostgreSQL TCP socket. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

Weakness

The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.

Affected Software

NameVendorStart VersionEnd Version
PostgresqlPostgresql*14.23 (excluding)
PostgresqlPostgresql15.0 (including)15.18 (excluding)
PostgresqlPostgresql16.0 (including)16.14 (excluding)
PostgresqlPostgresql17.0 (including)17.10 (excluding)
PostgresqlPostgresql18.0 (including)18.4 (excluding)
Postgresql-10Ubuntuupstream*
Postgresql-12Ubuntuupstream*
Postgresql-14Ubuntujammy*
Postgresql-16Ubuntunoble*
Postgresql-17Ubuntuquesting*
Postgresql-18Ubuntudevel*
Postgresql-18Ubunturesolute*
Postgresql-9.3Ubuntuupstream*
Postgresql-9.5Ubuntuupstream*

Potential Mitigations

References