PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-6477 Postgresql CVE debrief

CVE-2026-6477 is a high-severity PostgreSQL client-library issue in libpq where inherently dangerous PQfn(..., result_is_int=0, ...) usage can let a PostgreSQL server superuser write an arbitrarily large server-controlled response into a client stack buffer. The affected paths include lo_export(), lo_read(), lo_lseek64(), and lo_tell64(), and the impact extends to psql and pg_dump because they call lo_read(). The practical defensive takeaway is straightforward: update affected PostgreSQL client/server packages promptly and treat any environment that can connect to untrusted or poorly controlled PostgreSQL servers as exposed until patched.

Vendor
Postgresql
Product
Unknown
CVSS
HIGH 8.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-14
Original CVE updated
2026-05-18
Advisory published
2026-05-14
Advisory updated
2026-05-18

Who should care

PostgreSQL operators, DBAs, application teams that ship or use libpq-based clients, and anyone relying on psql or pg_dump. Prioritize environments where server superuser access could be abused or where client tools may connect to servers outside your control.

Technical summary

According to the CVE description and NVD metadata, libpq uses PQfn(..., result_is_int=0, ...) in large-object helper functions in a way that can accept server-determined data of arbitrary length into an unspecified-size client buffer, which is analogous to a dangerous unbounded copy. The affected components are lo_export(), lo_read(), lo_lseek64(), and lo_tell64(), with downstream exposure in psql and pg_dump through lo_read(). NVD assigns CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H and lists CWE-242. Affected versions are earlier than PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23.

Defensive priority

High. This is a client-side memory-corruption issue with broad confidentiality, integrity, and availability impact in the affected process. Patch the affected PostgreSQL releases quickly, especially if your organization uses psql or pg_dump in automated workflows or against servers not fully trusted.

Recommended defensive actions

  • Upgrade PostgreSQL and bundled libpq/client packages to 18.4, 17.10, 16.14, 15.18, or 14.23, or newer fixed releases.
  • Ensure any systems shipping psql or pg_dump are rebuilt or repackaged with the fixed client library.
  • Review whether scripts or operators use psql or pg_dump against servers where superuser behavior cannot be fully trusted.
  • Restrict who can act as PostgreSQL server superuser and minimize exposure of administrative server accounts.
  • Inventory containers, build images, and appliances that include affected PostgreSQL client tools and schedule patching there as well.

Evidence notes

All substantive statements are based on the supplied CVE description and NVD metadata. Version ranges, affected functions, CWE-242, and the CVSS vector come from the provided source item. The PostgreSQL vendor advisory is the official reference linked by NVD; no additional facts were inferred beyond the supplied corpus.

Official resources

CVE published 2026-05-14 and modified 2026-05-18 in the supplied records. The enrichment data does not list this CVE in CISA KEV.