CVE-2026-6474

Severity CVSS v4.0:
Pending analysis
Type:
CWE-134 Format String Vulnerability
Publication date:
14/05/2026
Last modified:
18/05/2026

Description

Externally-controlled format string in PostgreSQL timeofday() function allows an attacker to retrieve portions of server memory, via crafted timezone zones. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

Vulnerable products and versions

CPE From Up to
cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:* 14.23 (excluding)
cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:* 15.0 (including) 15.18 (excluding)
cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:* 16.0 (including) 16.14 (excluding)
cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:* 17.0 (including) 17.10 (excluding)
cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:* 18.0 (including) 18.4 (excluding)


References to Advisories, Solutions, and Tools