BIT-postgresql-2026-6477
See a problem?- Import Source
- https://github.com/bitnami/vulndb/tree/main/data/postgresql/BIT-postgresql-2026-6477.json
- JSON Data
- https://api.osv.dev/v1/vulns/BIT-postgresql-2026-6477
- Aliases
-
- CVE-2026-6477
- Published
- 2026-05-18T05:53:04.801Z
- Modified
- 2026-05-18T08:01:28.678301Z
- Summary
- PostgreSQL libpq lo_* functions let server superuser overwrite client stack memory
- Details
-
Use of inherently dangerous function PQfn(..., resultisint=0, ...) in PostgreSQL libpq loexport(), loread(), lolseek64(), and lotell64() functions allows the server superuser to overwrite a client stack buffer with an arbitrarily-large response. Like gets(), PQfn(..., resultisint=0, ...) stores arbitrary-length, server-determined data into a buffer of unspecified size. Because both the \loexport command in psql and pgdump call loread(), the server superuser can overwrite pgdump or psql stack memory. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.
- Database specific
{ "cpes": [ "cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*" ], "severity": "High" }- References
Affected packages
Bitnami / postgresql
Package
- Name
- postgresql
- Purl
- pkg:bitnami/postgresql
Severity
- 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator