High severity8.8NVD Advisory· Published May 14, 2026· Updated May 18, 2026
CVE-2026-6477
CVE-2026-6477
Description
Use of inherently dangerous function PQfn(..., result_is_int=0, ...) in PostgreSQL libpq lo_export(), lo_read(), lo_lseek64(), and lo_tell64() functions allows the server superuser to overwrite a client stack buffer with an arbitrarily-large response. Like gets(), PQfn(..., result_is_int=0, ...) stores arbitrary-length, server-determined data into a buffer of unspecified size. Because both the \lo_export command in psql and pg_dump call lo_read(), the server superuser can overwrite pg_dump or psql stack memory. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
35- Range: <18.4
- osv-coords34 versionspkg:bitnami/postgresqlpkg:rpm/almalinux/libpqpkg:rpm/almalinux/libpq-develpkg:rpm/almalinux/postgresqlpkg:rpm/almalinux/postgresql-contribpkg:rpm/almalinux/postgresql-docspkg:rpm/almalinux/postgresql-plperlpkg:rpm/almalinux/postgresql-plpython3pkg:rpm/almalinux/postgresql-pltclpkg:rpm/almalinux/postgresql-private-develpkg:rpm/almalinux/postgresql-private-libspkg:rpm/almalinux/postgresql-serverpkg:rpm/almalinux/postgresql-server-develpkg:rpm/almalinux/postgresql-staticpkg:rpm/almalinux/postgresql-testpkg:rpm/almalinux/postgresql-test-rpm-macrospkg:rpm/almalinux/postgresql-upgradepkg:rpm/almalinux/postgresql-upgrade-develpkg:rpm/opensuse/postgresql14&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/postgresql15&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/postgresql16&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/postgresql17&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/postgresql17&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/postgresql18&distro=openSUSE%20Tumbleweedpkg:rpm/suse/postgresql14&distro=SUSE%20Linux%20Enterprise%20Server%2016.0pkg:rpm/suse/postgresql14&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0pkg:rpm/suse/postgresql15&distro=SUSE%20Linux%20Enterprise%20Server%2016.0pkg:rpm/suse/postgresql15&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0pkg:rpm/suse/postgresql16&distro=SUSE%20Linux%20Enterprise%20Server%2016.0pkg:rpm/suse/postgresql16&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0pkg:rpm/suse/postgresql17&distro=SUSE%20Linux%20Enterprise%20Server%2016.0pkg:rpm/suse/postgresql17&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0pkg:rpm/suse/postgresql18&distro=SUSE%20Linux%20Enterprise%20Server%2016.0pkg:rpm/suse/postgresql18&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0
< 14.23.0+ 33 more
- (no CPE)range: < 14.23.0
- (no CPE)range: < 13.23-2.el8_10
- (no CPE)range: < 13.23-2.el8_10
- (no CPE)range: < 13.23-3.el9_8
- (no CPE)range: < 13.23-3.el9_8
- (no CPE)range: < 13.23-3.el9_8
- (no CPE)range: < 13.23-3.el9_8
- (no CPE)range: < 13.23-3.el9_8
- (no CPE)range: < 13.23-3.el9_8
- (no CPE)range: < 13.23-3.el9_8
- (no CPE)range: < 13.23-3.el9_8
- (no CPE)range: < 13.23-3.el9_8
- (no CPE)range: < 13.23-3.el9_8
- (no CPE)range: < 13.23-3.el9_8
- (no CPE)range: < 13.23-3.el9_8
- (no CPE)range: < 13.23-3.el9_8
- (no CPE)range: < 13.23-3.el9_8
- (no CPE)range: < 13.23-3.el9_8
- (no CPE)range: < 14.23-1.1
- (no CPE)range: < 15.18-1.1
- (no CPE)range: < 16.14-1.1
- (no CPE)range: < 17.10-160000.1.1
- (no CPE)range: < 17.10-1.1
- (no CPE)range: < 18.4-1.1
- (no CPE)range: < 14.23-160000.1.1
- (no CPE)range: < 14.23-160000.1.1
- (no CPE)range: < 15.18-160000.1.1
- (no CPE)range: < 15.18-160000.1.1
- (no CPE)range: < 16.14-160000.1.1
- (no CPE)range: < 16.14-160000.1.1
- (no CPE)range: < 17.10-160000.1.1
- (no CPE)range: < 17.10-160000.1.1
- (no CPE)range: < 18.4-160000.1.1
- (no CPE)range: < 18.4-160000.1.1
Patches
Vulnerability mechanics
References
1- www.postgresql.org/support/security/CVE-2026-6477/nvdPatchVendor Advisory
News mentions
0No linked articles in our index yet.