CVE-2026-6473: Integer Overflow or Wraparound in PostgreSQL
Integer wraparound in multiple PostgreSQL server features allows an unprivileged database user to cause the server to undersize an allocation and write out-of-bounds. This may execute arbitrary code as the operating system user running the database. In applications that pass gigabyte-scale user inputs to the relevant database functions, the application input provider may achieve a segmentation fault. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.
AI Analysis
Technical Summary
This vulnerability involves integer wraparound in several PostgreSQL server features, enabling an unprivileged user to trigger undersized memory allocations and out-of-bounds writes. This can lead to arbitrary code execution as the OS user running PostgreSQL. Additionally, large user inputs to these functions may cause segmentation faults in applications. The issue affects PostgreSQL versions before 18.4, 17.10, 16.14, 15.18, and 14.23. The CVSS v3.1 base score is 8.8, reflecting high severity with network attack vector, low attack complexity, and requiring low privileges but no user interaction.
Potential Impact
Successful exploitation can result in arbitrary code execution with the privileges of the PostgreSQL server process, which may lead to full compromise of the database server environment. Additionally, applications passing large inputs to the vulnerable functions may crash due to segmentation faults. There are no known exploits in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the official PostgreSQL vendor advisory for current remediation guidance. The affected versions are prior to PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23, so upgrading to these or later versions may address the issue once official patches are released. Until then, monitor vendor communications for updates.
CVE-2026-6473: Integer Overflow or Wraparound in PostgreSQL
Description
Integer wraparound in multiple PostgreSQL server features allows an unprivileged database user to cause the server to undersize an allocation and write out-of-bounds. This may execute arbitrary code as the operating system user running the database. In applications that pass gigabyte-scale user inputs to the relevant database functions, the application input provider may achieve a segmentation fault. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability involves integer wraparound in several PostgreSQL server features, enabling an unprivileged user to trigger undersized memory allocations and out-of-bounds writes. This can lead to arbitrary code execution as the OS user running PostgreSQL. Additionally, large user inputs to these functions may cause segmentation faults in applications. The issue affects PostgreSQL versions before 18.4, 17.10, 16.14, 15.18, and 14.23. The CVSS v3.1 base score is 8.8, reflecting high severity with network attack vector, low attack complexity, and requiring low privileges but no user interaction.
Potential Impact
Successful exploitation can result in arbitrary code execution with the privileges of the PostgreSQL server process, which may lead to full compromise of the database server environment. Additionally, applications passing large inputs to the vulnerable functions may crash due to segmentation faults. There are no known exploits in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the official PostgreSQL vendor advisory for current remediation guidance. The affected versions are prior to PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23, so upgrading to these or later versions may address the issue once official patches are released. Until then, monitor vendor communications for updates.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- PostgreSQL
- Date Reserved
- 2026-04-17T00:27:22.802Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a05cfe8ec166c07b0e1393b
Added to database: 5/14/2026, 1:36:40 PM
Last enriched: 5/14/2026, 1:52:23 PM
Last updated: 5/15/2026, 7:48:27 AM
Views: 8
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.