HIGHCVE-2026-6637Published Modified CNA PostgreSQL
CVE-2026-6637: PostgreSQL refint allows stack buffer overflow and SQL injection
Stack buffer overflow in PostgreSQL module "refint" allows an unprivileged database user to execute arbitrary code as the operating system user running the database. A distinct attack is possible if the application declares a user-controlled column as a "refint" cascade primary key and facilitates user-controlled updates to that column. In that case, a SQL injection allows a primary key update value provider to execute arbitrary SQL as the database user performing the primary key update. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.
Metrics
- CVSS v3.1
- 8.8
- Severity
- HIGH
- Fixed in
- 14.23
- Affected Products
- 1
Fix available
14.2315.1816.1417.1018.4
Affected packages
- n/a / PostgreSQL< 18.4 (from 18) · < 17.10 (from 17) · < 16.14 (from 16) · < 15.18 (from 15) · < 14.23 (from 0)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HReferences