PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-6575 PostgreSQL CVE debrief

A buffer over-read vulnerability exists in PostgreSQL's pg_restore_attribute_stats() function, affecting versions 18.0 through 18.3. The function accepts array values with mismatched lengths, causing query planning operations to read beyond the bounds of one array. This allows a table maintainer with appropriate privileges to infer memory contents past the array boundary. The vulnerability is confined to PostgreSQL major version 18; all prior major versions are unaffected. The issue was published on 2026-05-14 and last modified on 2026-05-18. No known exploitation in ransomware campaigns has been documented.

Vendor
PostgreSQL
Product
PostgreSQL
CVSS
MEDIUM 4.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-14
Original CVE updated
2026-05-18
Advisory published
2026-05-14
Advisory updated
2026-05-18

Who should care

Database administrators running PostgreSQL 18.x, security teams managing PostgreSQL deployments, and organizations with compliance requirements for database access controls

Technical summary

The pg_restore_attribute_stats() function in PostgreSQL 18.x fails to validate that array parameters have matching lengths. When processing statistics restoration with mismatched arrays, the query planner reads beyond allocated memory boundaries. This constitutes a CWE-126 (Buffer Over-read) weakness, exposing adjacent memory contents to authenticated users with table maintenance privileges. The vulnerability is network-exploitable with low attack complexity but requires low-privileged authenticated access.

Defensive priority

medium

Recommended defensive actions

  • Upgrade PostgreSQL to version 18.4 or later
  • Review database user privileges to ensure table maintainer access is granted only to trusted accounts
  • Monitor query logs for unusual pg_restore_attribute_stats() invocations with anomalous array parameters
  • Apply vendor security patches as referenced in the official PostgreSQL security advisory

Evidence notes

CVE description confirms affected versions (18.0 to 18.4 exclusive) and attack vector (table maintainer privilege level). NVD analysis confirms CVSS 3.1 vector and CWE-126 classification. Vendor advisory provides patch availability.

Official resources

official