CVE-2026-6479

Summary

Uncontrolled recursion in PostgreSQL SSL and GSS negotiation allows an attacker able to connect to a PostgreSQL AF_UNIX socket to achieve sustained denial of service. If SSL and GSS are both disabled, an attacker can do the same via access to a PostgreSQL TCP socket. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

Affected Software

VendorProductVersion RangeStatus
n/aPostgreSQL18 < 18.4affected
n/aPostgreSQL17 < 17.10affected
n/aPostgreSQL16 < 16.14affected
n/aPostgreSQL15 < 15.18affected
n/aPostgreSQL0 < 14.23affected

Weaknesses

  • CWE-674: Uncontrolled Recursion

Workarounds

enable SSL and/or GSS; disable unix_socket_directories

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References