Threat Advisory

PostgreSQL Vulnerability Exposes Refint Stack Overflow

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: High
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in PostgreSQL versions 14 through 18. The vulnerabilities include critical local code execution vulnerabilities, logic-subverting SQL injections, and server allocation integer wraparounds. Business risk and impact are significant, as these vulnerabilities can allow an attacker to break out of the database context, execute arbitrary code, and compromise the integrity of the database and underlying operating systems. Furthermore, the vulnerabilities can also introduce secondary risk vectors, such as SQL injection, which can execute malicious payloads under the security context of the database user. Organizations still running version 14 environments are urged to finalize their migration plans to a newer release line before the winter deadline.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in PostgreSQL versions 14 through 18. The vulnerabilities include critical local code execution vulnerabilities, logic-subverting SQL injections, and server allocation integer wraparounds. Business risk and impact are significant, as these vulnerabilities can allow an attacker to break out of the database context, execute arbitrary code, and compromise the integrity of the database and underlying operating systems. Furthermore, the vulnerabilities can also introduce secondary risk vectors, such as SQL injection, which can execute malicious payloads under the security context of the database user. Organizations still running version 14 environments are urged to finalize their migration plans to a newer release line before the winter deadline.[emaillocker id="1283"]

  • CVE-2026-6637 with a CVSS score of 8.8 - A critical stack buffer overflow was uncovered in the legacy refint module, allowing an attacker to break out of the database context and execute arbitrary code. The vulnerability also introduces a secondary risk vector involving SQL injection.
  • CVE-2026-6477 with a CVSS score of 8.8 - The PQfn function utilized across several PostgreSQL libpq Large Object functions presents a severe client-side threat, allowing a malicious or compromised database superuser to overwrite the stack memory of pg_dump or psql, leading to client-side code execution.
  • CVE-2026-6473 with a CVSS score of 6.8 - An integer wraparound vulnerability exists across multiple server features, allowing an attacker to manipulate calculation metrics to force the server into undersizing its memory allocations and triggering an out-of-bounds write.
  • CVE-2026-6475 with a CVSS score of 4.3 - A flaw involving improper symlink validation inside pg_basebackup and pg_rewind opens the door for filesystem hijacking, allowing a superuser to overwrite arbitrary local files on the system host.
  • CVE-2026-6476 with a CVSS score of 7.2 - A SQL injection flaw was discovered in the pg_createsubscriber utility, allowing an attacker who already possesses pg_create_subscription rights to manipulate subscription names and inject arbitrary SQL code.
  • CVE-2026-6472 with a CVSS score of 5.4 - A missing authorization check during CREATE TYPE operations fails to properly validate the multirange schema CREATE privilege, allowing a low-privileged object creator to effectively "hijack" queries executed by other database users.
  • CVE-2026-6638 with a CVSS score of 3.7 - A minor-rated but notable SQL injection flaw exists within logical replication processes, specifically during the execution of ALTER SUBSCRIPTION ... REFRESH PUBLICATION.
  • CVE-2026-6479 with a CVSS score of 7.5 - An uncontrolled recursion flaw within the SSL and GSS authentication negotiation phases allows an attacker with access to a PostgreSQL AF_UNIX socket to trigger an infinite loop, causing a sustained denial of service.
  • CVE-2026-6478 with a CVSS score of 6.5 - A covert timing channel in the database's legacy MD5 password hashing verification engine allows remote attackers to carefully measure response times to systematically recover valid user credentials.
  • CVE-2026-6474 with a CVSS score of 4.3 - The timeofday() function contains an externally-controlled format string vulnerability, allowing attackers to force the server into disclosing adjacent fragments of raw server memory.
  • CVE-2026-6575 with a CVSS score of 4.3 - The pg_restore_attribute_stats() function fails to validate array lengths properly, allowing a malicious table maintainer to force the query planner to read past the end of the statistics array, leaking localized memory structures.

Administrators are urged to schedule downtime to apply these minor updates immediately. As is standard with minor PostgreSQL releases, updating does not require data dumps or structural migrations—simply install the updated binaries and restart the database service. If your ecosystem relies heavily on database clusters stretching back to PostgreSQL 14, now is the time to finalize upgrade pipelines ahead of the November deprecation deadline.

RECOMMENDATION:

  • We recommend you to update PostgreSQL to version 18.4 or 17.10 or 16.14 or 15.18 or 14.23.

REFERENCES:

The following reports contain further technical details:
https://securityonline.info/postgresql-security-update-11-vulnerabilities-patched-version-14-eol/

[/emaillocker]
crossmenu