CVE-2026-6479

Vulnerability

Description CVE-2026-6479 is an uncontrolled recursion vulnerability in PostgreSQL's SSL and GSS negotiation handling. When a client initiates a connection, the server processes negotiation parameters without proper depth checking, leading to infinite recursion and stack exhaustion. This bug affects all PostgreSQL versions before 18.4, 17.10, 16.14, 15.18, and 14.23 [1].

Exploitation

Details An attacker can trigger the vulnerability by connecting to a PostgreSQL AF_UNIX socket if SSL or GSS is enabled. If both SSL and GSS are disabled, the same effect can be achieved via a TCP socket. No authentication is required, and the attack can be performed with network access to the socket [1]. The uncontrolled recursion causes the server to consume excessive stack memory, eventually crashing or becoming unresponsive.

Impact

Successful exploitation results in a sustained denial of service, disrupting database availability. Since the attack does not require credentials and can be launched repeatedly, it can keep the server offline indefinitely. The CVSS v3 base score is 7.5 (High), with a vector of AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating network attack vector, low complexity, no privileges required, and high availability impact [1].

Mitigation

The PostgreSQL project has released fixed versions (18.4, 17.10, 16.14, 15.18, 14.23) as of 2026-05-14. Users should upgrade to these versions immediately. If upgrade is not possible, disabling SSL and GSS and restricting TCP socket access may reduce risk, but the only complete fix is patching [1].