PatchSiren cyber security CVE debrief

CVE-2026-6479 PostgreSQL CVE debrief

## Summary PostgreSQL versions prior to 18.4, 17.10, 16.14, 15.18, and 14.23 contain an uncontrolled recursion vulnerability in SSL and GSS negotiation code. An attacker with connectivity to a PostgreSQL AF_UNIX socket can trigger sustained denial of service. If both SSL and GSS are disabled, the attack surface extends to TCP sockets. The vulnerability was published on 2026-05-14 and last modified on 2026-05-18. ## Technical Details The flaw stems from uncontrolled recursion (CWE-674) during the SSL and GSS authentication negotiation phase. The recursion can be triggered by a malicious client connecting to the PostgreSQL server, leading to resource exhaustion and denial of service. The attack vector is network-based (AV:N), requires no privileges (PR:N), no user interaction (UI:N), and has low attack complexity (AC:L). The vulnerability results in high availability impact (A:H) with no confidentiality or integrity impact. ## Affected Versions - PostgreSQL: all versions before 14.23 - PostgreSQL: 15.0 through 15.17 (fixed in 15.18) - PostgreSQL: 16.0 through 16.13 (fixed in 16.14) - PostgreSQL: 17.0 through 17.9 (fixed in 17.10) - PostgreSQL: 18.0 through 18.3 (fixed in 18.4) ## Risk Assessment CVSS 3.1 Score: 7.5 (HIGH). The vulnerability is remotely exploitable in default configurations where SSL or GSS is enabled. Even when both are disabled, TCP socket access remains a viable attack vector. No authentication is required, and the attack complexity is low, making this suitable for automated exploitation. ## Recommended Actions 1. **Immediate Patching**: Upgrade to PostgreSQL 18.4, 17.10, 16.14, 15.18, or 14.23 or later as appropriate for your major version. 2. **Network Segmentation**: Restrict AF_UNIX and TCP socket access to trusted hosts only, using host-based firewalls or PostgreSQL's `pg_hba.conf` to limit connection sources. 3. **Connection Rate Limiting**: Implement connection rate limiting at the network or application layer to reduce the risk of sustained DoS attacks. 4. **Monitoring**: Enable PostgreSQL logging for connection attempts and monitor for abnormal connection patterns or rapid connection cycling that may indicate exploitation.