Medium severity4.3NVD Advisory· Published May 14, 2026· Updated May 18, 2026
CVE-2026-6474
CVE-2026-6474
Description
Externally-controlled format string in PostgreSQL timeofday() function allows an attacker to retrieve portions of server memory, via crafted timezone zones. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
19cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*range: <14.23
- (no CPE)range: <= 14.23, <= 15.18, <= 16.14, <= 17.10, <= 18.4 (affects versions before these releases)
- osv-coords17 versionspkg:bitnami/postgresqlpkg:rpm/opensuse/postgresql14&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/postgresql15&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/postgresql16&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/postgresql17&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/postgresql17&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/postgresql18&distro=openSUSE%20Tumbleweedpkg:rpm/suse/postgresql14&distro=SUSE%20Linux%20Enterprise%20Server%2016.0pkg:rpm/suse/postgresql14&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0pkg:rpm/suse/postgresql15&distro=SUSE%20Linux%20Enterprise%20Server%2016.0pkg:rpm/suse/postgresql15&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0pkg:rpm/suse/postgresql16&distro=SUSE%20Linux%20Enterprise%20Server%2016.0pkg:rpm/suse/postgresql16&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0pkg:rpm/suse/postgresql17&distro=SUSE%20Linux%20Enterprise%20Server%2016.0pkg:rpm/suse/postgresql17&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0pkg:rpm/suse/postgresql18&distro=SUSE%20Linux%20Enterprise%20Server%2016.0pkg:rpm/suse/postgresql18&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0
< 14.23.0+ 16 more
- (no CPE)range: < 14.23.0
- (no CPE)range: < 14.23-1.1
- (no CPE)range: < 15.18-1.1
- (no CPE)range: < 16.14-1.1
- (no CPE)range: < 17.10-160000.1.1
- (no CPE)range: < 17.10-1.1
- (no CPE)range: < 18.4-1.1
- (no CPE)range: < 14.23-160000.1.1
- (no CPE)range: < 14.23-160000.1.1
- (no CPE)range: < 15.18-160000.1.1
- (no CPE)range: < 15.18-160000.1.1
- (no CPE)range: < 16.14-160000.1.1
- (no CPE)range: < 16.14-160000.1.1
- (no CPE)range: < 17.10-160000.1.1
- (no CPE)range: < 17.10-160000.1.1
- (no CPE)range: < 18.4-160000.1.1
- (no CPE)range: < 18.4-160000.1.1
Patches
Vulnerability mechanics
References
1- www.postgresql.org/support/security/CVE-2026-6474/nvdPatchVendor Advisory
News mentions
0No linked articles in our index yet.