CVE 8.8 HIGH

PostgreSQL libpq lo_* functions let server superuser overwrite client stack memory_CVE-2026-6477

May 14, 2026 invoker category_cve
8.8 / 10
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Description

Use of inherently dangerous function PQfn(..., result_is_int=0, ...) in PostgreSQL libpq lo_export(), lo_read(), lo_lseek64(), and lo_tell64() functions allows the server superuser to overwrite a client stack buffer with an arbitrarily-large response. Like gets(), PQfn(..., result_is_int=0, ...) stores arbitrary-length, server-determined data into a buffer of unspecified size. Because both the \lo_export command in psql and pg_dump call lo_read(), the server superuser can overwrite pg_dump or psql stack memory. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

AI Analysis

Server superuser can overwrite client stack buffer with an arbitrarily-large response in PostgreSQL libpq lo_export(), lo_read(), lo_lseek64(), and lo_tell64() functions

Basic Information

ID CVE-2026-6477
Source PostgreSQL
Published May 14, 2026 at 13:00

Affected Product

Vendor n/a
Product PostgreSQL
Version 18
Affected Versions n/a PostgreSQL 18
n/a PostgreSQL 17
n/a PostgreSQL 16
n/a PostgreSQL 15
n/a PostgreSQL 0

CWE Classification

CWE-242

AI Assessment

AI Score 8.8 / 10
AI Severity High
Vendor PostgreSQL Global Development Group
Product PostgreSQL
Version 18.4, 17.10, 16.14, 15.18, 14.23

References

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.