CVE-2026-6479:
PostgreSQL Análisis y mitigación de vulnerabilidades
Vista general
CVE-2026-6479 is an uncontrolled recursion vulnerability in PostgreSQL's SSL and GSS negotiation logic that allows an attacker to cause a sustained denial of service. It affects PostgreSQL versions before 18.4, 17.10, 16.14, 15.18, and 14.23 across the 14.x through 18.x release branches. The vulnerability was published on May 14, 2026, with patches released the same day. It carries a CVSS v3.1 base score of 7.5 (High) (GitHub Advisory, PostgreSQL Security).
Técnicas
The root cause is uncontrolled recursion (CWE-674) within PostgreSQL's SSL and GSS connection negotiation code path. An attacker who can connect to a PostgreSQL AF_UNIX socket can trigger this recursion to exhaust stack or memory resources, causing a denial of service. If both SSL and GSS are disabled, the same attack is achievable via a TCP socket connection, broadening the attack surface to network-accessible instances. The fix is tracked in the PostgreSQL git repository (PostgreSQL Git, GitHub Advisory).
Impacto
Successful exploitation results in a sustained denial of service, crashing or hanging the PostgreSQL database service and preventing legitimate users and applications from accessing the database. There is no confidentiality or integrity impact — the vulnerability is limited to availability. Affected deployments include any PostgreSQL instance in the 14.x–18.x range that exposes an AF_UNIX socket (always) or a TCP socket when SSL/GSS is disabled (GitHub Advisory, PostgreSQL Security).
Mitigación y soluciones alternativas
PostgreSQL has released patched versions: 18.4, 17.10, 16.14, 15.18, and 14.23. Upgrading to one of these versions is the primary recommended remediation (PostgreSQL Release). As a temporary workaround, enabling SSL or GSS authentication mitigates the TCP socket attack vector by requiring authentication during connection negotiation. Additionally, restricting network access to PostgreSQL TCP sockets via firewall rules and limiting local AF_UNIX socket access to trusted users reduces exposure. Linux distribution vendors including SUSE, openSUSE, Debian, Ubuntu, and Amazon Linux have also released updated packages (SUSE Advisory).
Reacciones de la comunidad
The PostgreSQL project disclosed this CVE as part of a coordinated release addressing 11 CVEs simultaneously in May 2026, which drew notable community attention (thebuild.com Blog). Security news outlets including GBHackers, CyberSecurityNews, and SecurityOnline covered the broader PostgreSQL security update, highlighting the scope of the release (SecurityOnline). The oss-security mailing list also received a disclosure notification (oss-sec). Notably, the CVE was credited to Anthropic, reflecting an AI-assisted vulnerability discovery (Anthropic-Credited CVEs).
Recursos adicionales
Fuente: Este informe se generó utilizando IA
Relacionado PostgreSQL Vulnerabilidades:
Evaluación gratuita de vulnerabilidades
Compare su postura de seguridad en la nube
Evalúe sus prácticas de seguridad en la nube en 9 dominios de seguridad para comparar su nivel de riesgo e identificar brechas en sus defensas.
Recursos adicionales de Wiz
Obtén una demostración personalizada
¿Listo para ver a Wiz en acción?
"La mejor experiencia de usuario que he visto en mi vida, proporciona una visibilidad completa de las cargas de trabajo en la nube."
"Wiz proporciona un panel único para ver lo que ocurre en nuestros entornos en la nube."
"Sabemos que si Wiz identifica algo como crítico, en realidad lo es."