CVE-2026-6473 - Vulnerability Details

- PostgreSQL server undersizes allocations, via integer wraparound

Description

Integer wraparound in multiple PostgreSQL server features allows an unprivileged database user to cause the server to undersize an allocation and write out-of-bounds. This may execute arbitrary code as the operating system user running the database. In applications that pass gigabyte-scale user inputs to the relevant database functions, the application input provider may achieve a segmentation fault. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

Published: 2026-05-14

Score: 8.8 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

An integer wraparound flaw exists in several PostgreSQL server features that lets an unprivileged database user cause the server to allocate too little memory and then write beyond the end of that buffer. The out‑of‑bounds write can lead to execution of arbitrary code running with the operating system user account that owns the database process. For applications that supply gigabyte‑scale user data to the vulnerable functions, the flaw can also trigger a segmentation fault, potentially causing a denial of service. The vulnerability is a classic integer overflow problem, categorized as CWE‑190.

Affected Systems

All PostgreSQL releases older than 18.4, 17.10, 16.14, 15.18, and 14.23 are affected. The issue affects the PostgreSQL server component of the database system and therefore any client or application that connects to it using a user account that does not have elevated privileges.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity, and the EPSS score is not available, meaning no current estimate of exploitation likelihood is published. The flaw is not listed in the CISA KEV catalog, but its impact is substantial. The likely attack vector, while not explicitly specified in the advisory, is inferred to be a database query executed by an unprivileged user who can supply large or crafted input that triggers the integer wraparound. Given the high impact, remediation should be prioritized.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

PostgreSQL

unaffected

Version	Status	Constraints
`18`	affected	< 18.4
`17`	affected	< 17.10
`16`	affected	< 16.14
`15`	affected	< 15.18
`0`	affected	< 14.23

No data.

Vendor Product Confidence Versions

Postgresql

80%

Version	Status	Scheme	Platform
`[18,18.4)`	affected	generic	—
`[17,17.10)`	affected	generic	—
`[16,16.14)`	affected	generic	—
`[15,15.18)`	affected	generic	—
`[0,14.23)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade PostgreSQL to version 18.4 or newer, or 17.10, 16.14, 15.18, or 14.23 as applicable.
Apply any vendor‑supplied security patches for the affected releases.
Restrict unprivileged database users from invoking functions that handle very large inputs, or enforce database configuration limits on input size to prevent wraparound scenarios.

Generated by OpenCVE AI on May 14, 2026 at 14:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DSA	DSA-6269-1	postgresql-15 security update
Debian DSA	DSA-6270-1	postgresql-17 security update

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://www.postgresql.org/support/security/CVE-2026-6473/

History

Thu, 14 May 2026 15:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Postgresql Postgresql postgresql
Vendors & Products		Postgresql Postgresql postgresql

Thu, 14 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 14 May 2026 13:30:00 +0000

Type	Values Removed	Values Added
Description		Integer wraparound in multiple PostgreSQL server features allows an unprivileged database user to cause the server to undersize an allocation and write out-of-bounds. This may execute arbitrary code as the operating system user running the database. In applications that pass gigabyte-scale user inputs to the relevant database functions, the application input provider may achieve a segmentation fault. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.
Title		PostgreSQL server undersizes allocations, via integer wraparound
Weaknesses		CWE-190
References		https://www.postgresql.org/support/security/CVE-2026-6473/
Metrics		cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

Postgresql Postgresql

MITRE

Status: PUBLISHED

Assigner: PostgreSQL

Published: 2026-05-14T13:00:09.446Z

Updated: 2026-05-14T13:40:17.936Z

Reserved: 2026-04-17T00:27:22.802Z

Link: CVE-2026-6473

Vulnrichment

Updated: 2026-05-14T13:40:13.777Z

NVD

Status : Awaiting Analysis

Published: 2026-05-14T14:16:24.883

Modified: 2026-05-14T16:21:23.190

Link: CVE-2026-6473

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-14T14:45:22Z

Weaknesses

CWE-190

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object