CVE-2026-6477

CVSS Score & Metrics

Base Score

8.8 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H                                    

Vulnerability Description

Use of inherently dangerous function PQfn(..., result_is_int=0, ...) in PostgreSQL libpq lo_export(), lo_read(), lo_lseek64(), and lo_tell64() functions allows the server superuser to overwrite a client stack buffer with an arbitrarily-large response. Like gets(), PQfn(..., result_is_int=0, ...) stores arbitrary-length, server-determined data into a buffer of unspecified size. Because both the \lo_export command in psql and pg_dump call lo_read(), the server superuser can overwrite pg_dump or psql stack memory. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

Vulnerability Details

Published Date

May 14, 2026

Last Modified

May 18, 2026

CWE ID

CWE-242

Source

NVD

Vendor

postgresql

Product

postgresql

External References

https://www.postgresql.org/support/security/CVE-2026-6477/

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment