PostgreSQL server undersizes allocations, via integer wraparound_CVE-2026-6473

8.8 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

Integer wraparound in multiple PostgreSQL server features allows an unprivileged database user to cause the server to undersize an allocation and write out-of-bounds. This may execute arbitrary code as the operating system user running the database. In applications that pass gigabyte-scale user inputs to the relevant database functions, the application input provider may achieve a segmentation fault. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

AI Analysis

Integer wraparound vulnerability in PostgreSQL server allows unprivileged database users to execute arbitrary code

Basic Information

ID CVE-2026-6473

Source PostgreSQL

Published May 14, 2026 at 13:00

Modified May 14, 2026 at 13:40

Affected Product

Vendor n/a

Product PostgreSQL

Version 18

Affected Versions n/a PostgreSQL 18
n/a PostgreSQL 17
n/a PostgreSQL 16
n/a PostgreSQL 15
n/a PostgreSQL 0

CWE Classification

CWE-190

AI Assessment

AI Score 8.8 / 10

AI Severity High

Vendor PostgreSQL Global Development Group

Product PostgreSQL

Version 18.4, 17.10, 16.14, 15.18, 14.23

References

www.postgresql.org /support/security/CVE-2026-6473/

{
    "lastseen": "",
    "description": "Integer wraparound in multiple PostgreSQL server features allows an unprivileged database user to cause the server to undersize an allocation and write out-of-bounds.  This may execute arbitrary code as the operating system user running the database.  In applications that pass gigabyte-scale user inputs to the relevant database functions, the application input provider may achieve a segmentation fault.  Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.",
    "published": "2026-05-14T13:00:09.446Z",
    "modified": "2026-05-14T13:40:17.936Z",
    "type": "cve",
    "title": "PostgreSQL server undersizes allocations, via integer wraparound",
    "source": "PostgreSQL",
    "references": "https://www.postgresql.org/support/security/CVE-2026-6473/",
    "id": "CVE-2026-6473",
    "bulletinFamily": "",
    "cwe": [
        "CWE-190"
    ],
    "cvelist": null,
    "sourceData": "n/a PostgreSQL 18\nn/a PostgreSQL 17\nn/a PostgreSQL 16\nn/a PostgreSQL 15\nn/a PostgreSQL 0",
    "sourceHref": "",
    "cvss": {
        "score": 8.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "PostgreSQL",
    "version": "18",
    "vendor": "n/a",
    "ai_description": "Integer wraparound vulnerability in PostgreSQL server allows unprivileged database users to execute arbitrary code",
    "ai_severity": "High",
    "ai_vendor": "PostgreSQL Global Development Group",
    "ai_product": "PostgreSQL",
    "ai_version": "18.4, 17.10, 16.14, 15.18, 14.23",
    "ai_score": 8.8
}