CVE-2026-6473
published 2026-05-14CVE-2026-6473: Integer wraparound in multiple PostgreSQL server features allows an unprivileged database user to cause the server to undersize an allocation and write…
PriorityP262high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.67%
47.2th percentile
Integer wraparound in multiple PostgreSQL server features allows an unprivileged database user to cause the server to undersize an allocation and write out-of-bounds. This may execute arbitrary code as the operating system user running the database. In applications that pass gigabyte-scale user inputs to the relevant database functions, the application input provider may achieve a segmentation fault. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.
Affected
18 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| postgresql | postgresql | < 14.23 | 14.23 |
| postgresql | postgresql | — | — |
| postgresql | postgresql | >= 15 < 15.18 | 15.18 |
| postgresql | postgresql | >= 15.0 < 15.18 | 15.18 |
| postgresql | postgresql | >= 16 < 16.14 | 16.14 |
| postgresql | postgresql | >= 16.0 < 16.14 | 16.14 |
| postgresql | postgresql | >= 17 < 17.10 | 17.10 |
| postgresql | postgresql | >= 17.0 < 17.10 | 17.10 |
| postgresql | postgresql | >= 18 < 18.4 | 18.4 |
| postgresql | postgresql | >= 18.0 < 18.4 | 18.4 |
| postgresql_12 | postgresql | — | — |
| postgresql_15 | postgresql | — | — |
| postgresql_16 | postgresql | — | — |
| postgresql_18 | postgresql | — | — |
| ubuntu | postgresql-14 | — | — |
| ubuntu | postgresql-16 | — | — |
| ubuntu | postgresql-17 | — | — |
| ubuntu | postgresql-18 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect gigabyte-scale inputs passed to PostgreSQL server functions, which are required to trigger the integer wraparound and out-of-bounds write ↗
- →Monitor for oversized string, array, or binary objects being passed into backend SQL queries as a precursor to exploitation ↗
- →An unprivileged (low-privilege) database user account is sufficient to trigger this vulnerability; monitor for unexpected large-input queries from low-privilege accounts ↗
- →Watch for PostgreSQL server segmentation faults (SIGSEGV) in logs, which may indicate exploitation attempts via gigabyte-scale inputs ↗
- ·Affected versions: PostgreSQL before 18.4, 17.10, 16.14, 15.18, and 14.23. Patch to these versions to remediate. ↗
- ·Red Hat notes that default RHEL security features (SELinux, ASLR, NX stack) significantly increase the difficulty of achieving arbitrary code execution, reducing practical impact on hardened systems. ↗
- ·Mitigation (if patching is not immediately possible): validate the length of data and size of objects on all client APIs and web interfaces before they reach backend SQL queries. ↗
- ·postgresql17 on Red Hat Hardened Images is listed as NOT affected. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vendor_redhat8.8HIGH
vendor_ubuntu5.4MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-8rqw-w7xq-566r: Integer wraparound in multiple PostgreSQL server features allows an unprivileged database user to cause the server to undersize an allocation and writ
ghsa_unreviewed·2026-05-14
CVE-2026-6473 [HIGH] CWE-190 GHSA-8rqw-w7xq-566r: Integer wraparound in multiple PostgreSQL server features allows an unprivileged database user to cause the server to undersize an allocation and writ
Integer wraparound in multiple PostgreSQL server features allows an unprivileged database user to cause the server to undersize an allocation and write out-of-bounds. This may execute arbitrary code as the operating system user running the database. In applications that pass gigabyte-scale user inputs to the relevant database functions, the application input provider may achieve a segmentation fault. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.
VulDB
PostgreSQL up to 18.3 integer overflow
vuldb·2026-05-14·CVSS 8.8
CVE-2026-6473 [HIGH] PostgreSQL up to 18.3 integer overflow
A vulnerability categorized as critical has been discovered in PostgreSQL up to 14.22/15.17/16.13/17.9/18.3. Affected is an unknown function. Executing a manipulation can lead to integer overflow.
This vulnerability appears as CVE-2026-6473. The attack may be performed from remote. There is no available exploit.
It is advisable to upgrade the affected component.
Ubuntu
PostgreSQL vulnerabilities
vendor_ubuntu·2026-05-21·CVSS 5.4
CVE-2026-6475 [MEDIUM] PostgreSQL vulnerabilities
Title: PostgreSQL vulnerabilities
Summary: Several security issues were fixed in PostgreSQL.
It was discovered that PostgreSQL did not correctly enforce authorization
for CREATE TYPE. An attacker could possibly use this issue to execute
arbitrary SQL functions. (CVE-2026-6472)
It was discovered that PostgreSQL incorrectly handled large user input in
multiple server features. An attacker could possibly use this issue to
cause PostgreSQL to crash, resulting in a denial of service, or execute
arbitrary code. (CVE-2026-6473)
It was discovered that PostgreSQL incorrectly handled format strings in
the timeofday() function. An attacker could possibly use this issue to
obtain sensitive information. (CVE-2026-6474)
It was discovered that PostgreSQL incorrectly followed symbolic links in
pg_bas
Red Hat
postgresql: integer overflow can cause an undersized allocation and an out-of-bounds write
vendor_redhat·2026-05-14·CVSS 8.8
CVE-2026-6473 [HIGH] CWE-190 postgresql: integer overflow can cause an undersized allocation and an out-of-bounds write
postgresql: integer overflow can cause an undersized allocation and an out-of-bounds write
A flaw was found in PostgreSQL. An integer overflow in multiple server features allows an unprivileged database user to cause an undersized memory allocation that leads to an out-of-bounds write. This issue allows an attacker to execute arbitrary code as the operating system user running the database or, in applications that pass gigabyte-scale user inputs to the relevant database functions, to cause a segmentation fault, resulting in a denial of service.
Statement: To exploit this flaw, an attacker with minimal access to a database needs to pass extremely large inputs to vulnerable database functions, causing an integer overflow that leads to an out-of-bounds write. This flaw allows an attacker to
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-6473 postgresql18: integer overflow can cause an undersized allocation and an out-of-bounds write [fedora-all]
bugzilla·2026-06-03·CVSS 8.8
CVE-2026-6473 [HIGH] CVE-2026-6473 postgresql18: integer overflow can cause an undersized allocation and an out-of-bounds write [fedora-all]
CVE-2026-6473 postgresql18: integer overflow can cause an undersized allocation and an out-of-bounds write [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-6473 mingw-postgresql: integer overflow can cause an undersized allocation and an out-of-bounds write [fedora-all]
bugzilla·2026-06-03·CVSS 8.8
CVE-2026-6473 [HIGH] CVE-2026-6473 mingw-postgresql: integer overflow can cause an undersized allocation and an out-of-bounds write [fedora-all]
CVE-2026-6473 mingw-postgresql: integer overflow can cause an undersized allocation and an out-of-bounds write [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-6473 postgresql17: integer overflow can cause an undersized allocation and an out-of-bounds write [fedora-all]
bugzilla·2026-06-03·CVSS 8.8
CVE-2026-6473 [HIGH] CVE-2026-6473 postgresql17: integer overflow can cause an undersized allocation and an out-of-bounds write [fedora-all]
CVE-2026-6473 postgresql17: integer overflow can cause an undersized allocation and an out-of-bounds write [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-6473 postgresql16: integer overflow can cause an undersized allocation and an out-of-bounds write [fedora-all]
bugzilla·2026-06-03·CVSS 8.8
CVE-2026-6473 [HIGH] CVE-2026-6473 postgresql16: integer overflow can cause an undersized allocation and an out-of-bounds write [fedora-all]
CVE-2026-6473 postgresql16: integer overflow can cause an undersized allocation and an out-of-bounds write [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-6473 postgresql: integer overflow can cause an undersized allocation and an out-of-bounds write
bugzilla·2026-05-14·CVSS 8.8
CVE-2026-6473 [HIGH] CVE-2026-6473 postgresql: integer overflow can cause an undersized allocation and an out-of-bounds write
CVE-2026-6473 postgresql: integer overflow can cause an undersized allocation and an out-of-bounds write
Integer wraparound in multiple PostgreSQL server features allows an unprivileged database user to cause the server to undersize an allocation and write out-of-bounds. This may execute arbitrary code as the operating system user running the database. In applications that pass gigabyte-scale user inputs to the relevant database functions, the application input provider may achieve a segmentation fault. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.
https://www.postgresql.org/support/security/CVE-2026-6473/https://access.redhat.com/errata/RHSA-2026:22878https://access.redhat.com/errata/RHSA-2026:26181https://access.redhat.com/errata/RHSA-2026:26203https://access.redhat.com/errata/RHSA-2026:26204https://access.redhat.com/errata/RHSA-2026:26524https://access.redhat.com/errata/RHSA-2026:26525https://access.redhat.com/errata/RHSA-2026:26561https://access.redhat.com/errata/RHSA-2026:27718https://access.redhat.com/errata/RHSA-2026:27738https://access.redhat.com/errata/RHSA-2026:27741https://access.redhat.com/errata/RHSA-2026:27742https://access.redhat.com/errata/RHSA-2026:27743https://access.redhat.com/errata/RHSA-2026:28037https://access.redhat.com/errata/RHSA-2026:28143https://access.redhat.com/errata/RHSA-2026:28999https://access.redhat.com/errata/RHSA-2026:29212https://access.redhat.com/errata/RHSA-2026:29815https://access.redhat.com/errata/RHSA-2026:29904https://access.redhat.com/errata/RHSA-2026:29953https://access.redhat.com/errata/RHSA-2026:32983https://access.redhat.com/errata/RHSA-2026:32994https://access.redhat.com/errata/RHSA-2026:33441https://access.redhat.com/security/cve/CVE-2026-6473https://bugzilla.redhat.com/show_bug.cgi?id=2477448https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-6473.json
2026-05-14
Published