The vulnerability CVE-2026-6477 in PostgreSQL stems from the use of the PQfn function with result_is_int=0 in libpq functions lo_export(), lo_read(), lo_lseek64(), and lo_tell64(). This function stores arbitrary-length data from the server into a client buffer without size constraints, enabling a server superuser to overwrite the client stack buffer. This affects PostgreSQL versions before 18.4, 17.10, 16.14, 15.18, and 14.23. The vulnerability can be triggered via the \lo_export command in psql and during pg_dump operations, potentially corrupting stack memory. The CVSS 3.1 score is 8.8, indicating high severity with network attack vector, low attack complexity, no privileges required, user interaction required, unchanged scope, and high impact on confidentiality, integrity, and availability. No official patch or vendor advisory details are provided in the input.

An attacker with server superuser privileges can exploit this vulnerability to overwrite client stack memory buffers with arbitrarily large data. This can lead to client application crashes or potentially arbitrary code execution on the client side. The vulnerability affects PostgreSQL client utilities such as psql and pg_dump when using the \lo_export command or lo_read() function. The high CVSS score reflects the critical impact on confidentiality, integrity, and availability if exploited. However, exploitation requires server superuser privileges and user interaction.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official patch or remediation level is provided in the available data, users should monitor PostgreSQL vendor communications for updates. Until a fix is available, limit server superuser access and avoid using the affected functions or commands (\lo_export, lo_read) in untrusted environments. No vendor advisory states that no action is required or that the issue is already mitigated.