Description
Stack buffer overflow in PostgreSQL module "refint" allows an unprivileged database user to execute arbitrary code as the operating system user running the database. A distinct attack is possible if the application declares a user-controlled column as a "refint" cascade primary key and facilitates user-controlled updates to that column. In that case, a SQL injection allows a primary key update value provider to execute arbitrary SQL as the database user performing the primary key update. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.
Published: 2026-05-14
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Stack buffer overflow in the PostgreSQL refint module enables an unprivileged database user to execute arbitrary code on the host operating system. In addition, if a column marked as a refint cascade primary key is user‑controlled, a separate SQL injection flaw permits the attacker to run arbitrary SQL as the database user performing the update. The combination of stack overflow (CWE‑121) and SQL injection (CWE‑89) could lead to full compromise of the database server and its underlying operating system.

Affected Systems

All PostgreSQL versions earlier than 18.4, 17.10, 16.14, 15.18, and 14.23 that include the refint extension are vulnerable. This includes both enterprise and community deployments of PostgreSQL 14 through 18.

Risk and Exploitability

The vulnerability has a CVSS score of 8.8, indicating high severity, and while the EPSS score is not available, the flaw could be exploited by a local, unprivileged database user on systems with the refint module enabled. The attack vector is local, requiring the attacker to have database privileges to execute malicious statements against refint. If the refint cascade primary key is user‑controlled, the attacker can also inject SQL commands to execute arbitrary code within the database process. The issue is not listed in the CISA KEV catalog but the potential for OS-level compromise warrants urgent attention.

Generated by OpenCVE AI on May 14, 2026 at 14:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to PostgreSQL 18.4, 17.10, 16.14, 15.18, or 14.23 to apply the fix for the refint buffer overflow and SQL injection flaws.
  • If an upgrade cannot be performed immediately, disable the refint extension or remove it from affected schemas until a patched version is available.
  • Reconfigure any refint cascade primary key columns so that they are not user‑controlled; limit privileges and avoid user‑controlled updates to these columns.
  • Ensure application code that interacts with refint columns uses parameterized queries and proper input validation to mitigate the risk of accidental SQL injection.

Generated by OpenCVE AI on May 14, 2026 at 14:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6269-1 postgresql-15 security update
Debian DSA Debian DSA DSA-6270-1 postgresql-17 security update
History

Thu, 14 May 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 14 May 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Postgresql
Postgresql postgresql
Vendors & Products Postgresql
Postgresql postgresql

Thu, 14 May 2026 13:30:00 +0000

Type Values Removed Values Added
Description Stack buffer overflow in PostgreSQL module "refint" allows an unprivileged database user to execute arbitrary code as the operating system user running the database. A distinct attack is possible if the application declares a user-controlled column as a "refint" cascade primary key and facilitates user-controlled updates to that column. In that case, a SQL injection allows a primary key update value provider to execute arbitrary SQL as the database user performing the primary key update. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.
Title PostgreSQL refint allows stack buffer overflow and SQL injection
Weaknesses CWE-121
CWE-89
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Postgresql Postgresql
cve-icon MITRE

Status: PUBLISHED

Assigner: PostgreSQL

Published:

Updated: 2026-05-14T15:27:54.400Z

Reserved: 2026-04-19T19:58:20.340Z

Link: CVE-2026-6637

cve-icon Vulnrichment

Updated: 2026-05-14T15:27:51.544Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-14T14:16:25.820

Modified: 2026-05-14T16:21:23.190

Link: CVE-2026-6637

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T15:00:12Z

Weaknesses