CVE-2026-6575
Published: May 18, 2026Last modified: May 19, 2026
Description
Buffer over-read in PostgreSQL function pg_restore_attribute_stats() accepts array values of unmatched length, which causes query planning to read past end of one array. This allows a table maintainer to infer memory values past that array end. Within major version 18, minor versions before PostgreSQL 18.4 are affected. Versions before PostgreSQL 18 are unaffected.
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 4.3 |
| Attack Vector | NETWORK |
| Attack complexity | LOW |
| Privileges required | LOW |
| User interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality | LOW |
| Integrity impact | NONE |
| Availability impact | NONE |
| Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
Notes
https://www.postgresql.org/about/news/postgresql-184-1710-1614-1518-and-1423-released-3297/
Status
| Product | Release | Package | Status |
|---|---|---|---|
| Alpaquita Linux | 23 LTS | postgresql15 | Not affected (15.17-r0) |
| 25 LTS | postgresql17 | Not affected (17.9-r0) | |
| Stream | postgresql18 | Fixed (18.4-r0) |