PostgreSQL pg_restore_attribute_stats accepts values that cause query planning to read...

4.3 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Description

Buffer over-read in PostgreSQL function pg_restore_attribute_stats() accepts array values of unmatched length, which causes query planning to read past end of one array. This allows a table maintainer to infer memory values past that array end. Within major version 18, minor versions before PostgreSQL 18.4 are affected. Versions before PostgreSQL 18 are unaffected.

Basic Information

ID CVE-2026-6575

Source PostgreSQL

Published May 14, 2026 at 13:00

Affected Product

Vendor n/a

Product PostgreSQL

Version 18

Affected Versions n/a PostgreSQL 18

CWE Classification

CWE-126

References

www.postgresql.org /support/security/CVE-2026-6575/

{
    "lastseen": "",
    "description": "Buffer over-read in PostgreSQL function pg_restore_attribute_stats() accepts array values of unmatched length, which causes query planning to read past end of one array.  This allows a table maintainer to infer memory values past that array end.  Within major version 18, minor versions before PostgreSQL 18.4 are affected.  Versions before PostgreSQL 18 are unaffected.",
    "published": "2026-05-14T13:00:14.542Z",
    "modified": "2026-05-14T13:00:14.542Z",
    "type": "cve",
    "title": "PostgreSQL pg_restore_attribute_stats accepts values that cause query planning to read past end of stats array",
    "source": "PostgreSQL",
    "references": "https://www.postgresql.org/support/security/CVE-2026-6575/",
    "id": "CVE-2026-6575",
    "bulletinFamily": "",
    "cwe": [
        "CWE-126"
    ],
    "cvelist": null,
    "sourceData": "n/a PostgreSQL 18",
    "sourceHref": "",
    "cvss": {
        "score": 4.3,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "PostgreSQL",
    "version": "18",
    "vendor": "n/a",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

PostgreSQL pg_restore_attribute_stats accepts values that cause query planning to read past end of stats array_CVE-2026-6575