CVE-2026-6479 - Vulnerability Details

- PostgreSQL SSL/GSS init causes denial of service, via uncontrolled recursion

Description

Uncontrolled recursion in PostgreSQL SSL and GSS negotiation allows an attacker able to connect to a PostgreSQL AF_UNIX socket to achieve sustained denial of service. If SSL and GSS are both disabled, an attacker can do the same via access to a PostgreSQL TCP socket. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

Published: 2026-05-14

Score: 7.5 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

This vulnerability results from uncontrolled recursion during the initialization of SSL or GSS negotiation in PostgreSQL, a flaw classified as CWE‑674. An attacker who can connect to a PostgreSQL socket—either the Unix domain socket exposed via AF_UNIX or the TCP port when both SSL and GSS are disabled—can trigger the recursion and exhaust server resources, causing the database service to become unresponsive. The effect is a denial of service that can be sustained as long as the malicious connections continue.

Affected Systems

The flaw affects PostgreSQL servers, specifically all releases prior to 18.4, 17.10, 16.14, 15.18, and 14.23. Any installation of PostgreSQL that exposes a local AF_UNIX socket or listens on a TCP socket without SSL/GSS enabled is at risk. The issue is present in the core PostgreSQL product.

Risk and Exploitability

The CVSS score of 7.5 indicates a high impact and moderate to high complexity, though the EPSS score is unavailable at this time. The vulnerability is not listed in the CISA KEV catalog, suggesting no public exploitation has been recorded yet. Attackers need the ability to open a connection to the database socket, which could be local or network based depending on configuration, making the attack survivable in typical deployment scenarios. Once the recursion is triggered, the database becomes unresponsive until the service is restarted, producing repeatable denial of service.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

PostgreSQL

unaffected

Version	Status	Constraints
`18`	affected	< 18.4
`17`	affected	< 17.10
`16`	affected	< 16.14
`15`	affected	< 15.18
`0`	affected	< 14.23

No data.

Vendor Product Confidence Versions

Postgresql

95%

Version	Status	Scheme	Platform
`[18,18.4)`	affected	generic	—
`[17,17.10)`	affected	generic	—
`[16,16.14)`	affected	generic	—
`[15,15.18)`	affected	generic	—
`[0,14.23)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

Vendor Workaround

enable SSL and/or GSS; disable unix_socket_directories

OpenCVE Recommended Actions

Upgrade PostgreSQL to a version no earlier than 18.4, 17.10, 16.14, 15.18, or 14.23 to apply the vendor fix.
If upgrading is not immediately possible, enable SSL or GSS authentication to mitigate the recursion loop during socket initialization.
Disable or restrict use of unix_socket_directories where feasible to reduce the attack surface for local socket access.
Configure firewall or access controls to limit who can reach the database port or Unix socket, reducing the likelihood that an attacker can establish the destructive connection.

Generated by OpenCVE AI on May 14, 2026 at 14:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DSA	DSA-6269-1	postgresql-15 security update
Debian DSA	DSA-6270-1	postgresql-17 security update

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://www.postgresql.org/support/security/CVE-2026-6479/

History

Thu, 14 May 2026 16:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 14 May 2026 16:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Postgresql Postgresql postgresql
Vendors & Products		Postgresql Postgresql postgresql

Thu, 14 May 2026 13:30:00 +0000

Type	Values Removed	Values Added
Description		Uncontrolled recursion in PostgreSQL SSL and GSS negotiation allows an attacker able to connect to a PostgreSQL AF_UNIX socket to achieve sustained denial of service. If SSL and GSS are both disabled, an attacker can do the same via access to a PostgreSQL TCP socket. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.
Title		PostgreSQL SSL/GSS init causes denial of service, via uncontrolled recursion
Weaknesses		CWE-674
References		https://www.postgresql.org/support/security/CVE-2026-6479/
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}`

Subscriptions

Postgresql Postgresql

MITRE

Status: PUBLISHED

Assigner: PostgreSQL

Published: 2026-05-14T13:00:13.859Z

Updated: 2026-05-14T15:26:20.166Z

Reserved: 2026-04-17T00:45:37.869Z

Link: CVE-2026-6479

Vulnrichment

Updated: 2026-05-14T15:26:16.660Z

NVD

Status : Awaiting Analysis

Published: 2026-05-14T14:16:25.583

Modified: 2026-05-14T16:21:23.190

Link: CVE-2026-6479

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-14T16:00:14Z

Weaknesses

CWE-674

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object