CVE-2026-6477

Summary

Use of inherently dangerous function PQfn(…, result_is_int=0, …) in PostgreSQL libpq lo_export(), lo_read(), lo_lseek64(), and lo_tell64() functions allows the server superuser to overwrite a client stack buffer with an arbitrarily-large response. Like gets(), PQfn(…, result_is_int=0, …) stores arbitrary-length, server-determined data into a buffer of unspecified size. Because both the \lo_export command in psql and pg_dump call lo_read(), the server superuser can overwrite pg_dump or psql stack memory. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

Affected Software

VendorProductVersion RangeStatus
n/aPostgreSQL18 < 18.4affected
n/aPostgreSQL17 < 17.10affected
n/aPostgreSQL16 < 16.14affected
n/aPostgreSQL15 < 15.18affected
n/aPostgreSQL0 < 14.23affected

Weaknesses

  • CWE-242: Use of Inherently Dangerous Function

Workarounds

use PQexecPrepared(), not PQfn(…, result_is_int=0, …) or its lo_* wrappers

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

postgresql: PostgreSQL libpq: Buffer overflow allows server superuser to overwrite client stack memory

Additional References

References