CVE-2026-14178: CWE-416 Use after free in openGauss-server openGauss-server-7.0.0-RC2
openGauss 在处理带 NLS 参数的 to_timestamp 调用时,to_timestamp_with_fmt_nls() 会将 nls_fmt_str 保存到 u_sess->parser_cxt.nls_fmt_str。在 seqscan + sort 执行路径下,该字符串原本被分配在 SeqScan 的表达式上下文中;当 SeqScan 完成后,该内存上下文会被 reset,但后续结果输出阶段 timestamp_out() 仍会通过 CheckNlsFormat() 访问 u_sess->parser_cxt.nls_fmt_str,导致访问已释放内存。攻击者在具备数据库 SQL 执行权限的情况下,可构造特定 to_timestamp(..., ..., nlsparam) 查询触发 heap-use-after-free。在 ASan/Memcheck 环境下表现为数据库服务退出;在实际运行环境中可能造成后端进程异常退出,影响数据库服务可用性,形成拒绝服务风险。该问题在openGauss-server-7.0.0-RC1版本和openGauss-server-7.0.0-RC2版本存在,目前已在openGauss-server-7.0.0-RC3版本修复。由于 openGauss-server-7.0.0-RC1版本和openGauss-server-7.0.0-RC2均为创新版本,不会发布针对性补丁包,涉及版本升级至 openGauss-server-7.0.0-RC3或更新版本即可。
AI Analysis
Technical Summary
The vulnerability arises in openGauss-server when processing to_timestamp calls with NLS parameters. The function to_timestamp_with_fmt_nls() saves the nls_fmt_str into u_sess->parser_cxt.nls_fmt_str, which is originally allocated in the SeqScan expression context. After SeqScan completes, this memory context is reset, but timestamp_out() still accesses the freed nls_fmt_str via CheckNlsFormat(), causing a use-after-free condition. This can lead to backend process crashes and denial of service. The flaw affects openGauss-server versions 7.0.0-RC1 and 7.0.0-RC2 and is resolved in 7.0.0-RC3. No targeted patches are released for the affected versions as they are innovation releases; upgrading is the recommended remediation.
Potential Impact
Successful exploitation requires SQL execution privileges and results in heap use-after-free, causing backend process crashes and potential denial of service of the database service. There is no impact on confidentiality or integrity reported. The CVSS score is 5.9 (medium severity), reflecting the availability impact.
Mitigation Recommendations
The vulnerability is fixed in openGauss-server version 7.0.0-RC3. Since no patches are provided for versions 7.0.0-RC1 and 7.0.0-RC2, upgrading to 7.0.0-RC3 or a later version is the recommended remediation to address this issue.
CVE-2026-14178: CWE-416 Use after free in openGauss-server openGauss-server-7.0.0-RC2
Description
openGauss 在处理带 NLS 参数的 to_timestamp 调用时,to_timestamp_with_fmt_nls() 会将 nls_fmt_str 保存到 u_sess->parser_cxt.nls_fmt_str。在 seqscan + sort 执行路径下,该字符串原本被分配在 SeqScan 的表达式上下文中;当 SeqScan 完成后,该内存上下文会被 reset,但后续结果输出阶段 timestamp_out() 仍会通过 CheckNlsFormat() 访问 u_sess->parser_cxt.nls_fmt_str,导致访问已释放内存。攻击者在具备数据库 SQL 执行权限的情况下,可构造特定 to_timestamp(..., ..., nlsparam) 查询触发 heap-use-after-free。在 ASan/Memcheck 环境下表现为数据库服务退出;在实际运行环境中可能造成后端进程异常退出,影响数据库服务可用性,形成拒绝服务风险。该问题在openGauss-server-7.0.0-RC1版本和openGauss-server-7.0.0-RC2版本存在,目前已在openGauss-server-7.0.0-RC3版本修复。由于 openGauss-server-7.0.0-RC1版本和openGauss-server-7.0.0-RC2均为创新版本,不会发布针对性补丁包,涉及版本升级至 openGauss-server-7.0.0-RC3或更新版本即可。
CVSS v3.1
Score 5.9medium
Affected software
pkg:github/opengauss/openGauss-serverRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability arises in openGauss-server when processing to_timestamp calls with NLS parameters. The function to_timestamp_with_fmt_nls() saves the nls_fmt_str into u_sess->parser_cxt.nls_fmt_str, which is originally allocated in the SeqScan expression context. After SeqScan completes, this memory context is reset, but timestamp_out() still accesses the freed nls_fmt_str via CheckNlsFormat(), causing a use-after-free condition. This can lead to backend process crashes and denial of service. The flaw affects openGauss-server versions 7.0.0-RC1 and 7.0.0-RC2 and is resolved in 7.0.0-RC3. No targeted patches are released for the affected versions as they are innovation releases; upgrading is the recommended remediation.
Potential Impact
Successful exploitation requires SQL execution privileges and results in heap use-after-free, causing backend process crashes and potential denial of service of the database service. There is no impact on confidentiality or integrity reported. The CVSS score is 5.9 (medium severity), reflecting the availability impact.
Mitigation Recommendations
The vulnerability is fixed in openGauss-server version 7.0.0-RC3. Since no patches are provided for versions 7.0.0-RC1 and 7.0.0-RC2, upgrading to 7.0.0-RC3 or a later version is the recommended remediation to address this issue.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- openGauss
- Date Reserved
- 2026-06-30T07:37:54.949Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a43cd7c27e9c79719e724b1
Added to database: 06/30/2026, 14:06:52 UTC
Last enriched: 06/30/2026, 14:21:49 UTC
Last updated: 06/30/2026, 15:06:36 UTC
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.