CVE-2026-6575 - Vulnerability Details

- PostgreSQL pg_restore_attribute_stats accepts values that cause query planning to read past end of stats array

Description

Buffer over-read in PostgreSQL function pg_restore_attribute_stats() accepts array values of unmatched length, which causes query planning to read past end of one array. This allows a table maintainer to infer memory values past that array end. Within major version 18, minor versions before PostgreSQL 18.4 are affected. Versions before PostgreSQL 18 are unaffected.

Published: 2026-05-14

Score: 4.3 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is a buffer over-read in PostgreSQL’s pg_restore_attribute_stats() function. When the function receives an array of unmatched length during query planning, it reads past the end of the statistics array, exposing memory values that lie beyond the array’s boundary. The exposed data can be used by an attacker to infer internal database memory information, potentially revealing sensitive details about database internals. This weakness is classified as CWE-126.

Affected Systems

PostgreSQL versions 18.0 through 18.3 are vulnerable. Any PostgreSQL 18.x installation that has not been updated to version 18.4 or later is affected. The vulnerability does not impact PostgreSQL releases prior to major version 18.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity. No EPSS information is available, and the vulnerability is not listed in CISA’s KEV catalog, suggesting no confirmed widespread exploitation. The likely attack vector is local or authenticated access: an attacker with the ability to run a table maintenance operation on the database will trigger the vulnerability. To exploit the flaw, the attacker would need to supply a statistics array whose length does not match the expected size, causing the planner to read beyond the array’s bounds. The weakness does not allow remote code execution or privilege escalation, but it does provide a path for information leakage.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

PostgreSQL

unaffected

Version	Status	Constraints
`18`	affected	< 18.4

No data.

Vendor Product Confidence Versions

Postgresql

80%

Version	Status	Scheme	Platform
`[18,18.4)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade PostgreSQL to version 18.4 or later, which contains the fix for the buffer over-read in pg_restore_attribute_stats().
If an immediate upgrade is not possible, audit and modify any scripts or tools that invoke pg_restore to ensure that statistics arrays have matching lengths before being processed.
Consult the PostgreSQL security advisory (https://www.postgresql.org/support/security/CVE-2026-6575/) for additional guidance and verify the database’s maintenance processes are not creating mismatched arrays.

Generated by OpenCVE AI on May 14, 2026 at 14:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://www.postgresql.org/support/security/CVE-2026-6575/

History

Thu, 14 May 2026 16:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 14 May 2026 15:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Postgresql Postgresql postgresql
Vendors & Products		Postgresql Postgresql postgresql

Thu, 14 May 2026 13:30:00 +0000

Type	Values Removed	Values Added
Description		Buffer over-read in PostgreSQL function pg_restore_attribute_stats() accepts array values of unmatched length, which causes query planning to read past end of one array. This allows a table maintainer to infer memory values past that array end. Within major version 18, minor versions before PostgreSQL 18.4 are affected. Versions before PostgreSQL 18 are unaffected.
Title		PostgreSQL pg_restore_attribute_stats accepts values that cause query planning to read past end of stats array
Weaknesses		CWE-126
References		https://www.postgresql.org/support/security/CVE-2026-6575/
Metrics		cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}`

Subscriptions

Postgresql Postgresql

MITRE

Status: PUBLISHED

Assigner: PostgreSQL

Published: 2026-05-14T13:00:14.542Z

Updated: 2026-05-14T15:26:40.715Z

Reserved: 2026-04-19T00:06:35.060Z

Link: CVE-2026-6575

Vulnrichment

Updated: 2026-05-14T15:26:37.243Z

NVD

Status : Awaiting Analysis

Published: 2026-05-14T14:16:25.693

Modified: 2026-05-14T16:21:23.190

Link: CVE-2026-6575

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-14T15:00:12Z

Weaknesses

CWE-126

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object