
PEACH
Un cadre d’isolation des locataires
CVE-2026-6479 is an uncontrolled recursion vulnerability in PostgreSQL's SSL and GSS negotiation logic that allows an attacker to cause a sustained denial of service. It affects PostgreSQL versions before 18.4, 17.10, 16.14, 15.18, and 14.23 across the 14.x through 18.x release branches. The vulnerability was published on May 14, 2026, with patches released the same day. It carries a CVSS v3.1 base score of 7.5 (High) (GitHub Advisory, PostgreSQL Security).
The root cause is uncontrolled recursion (CWE-674) within PostgreSQL's SSL and GSS connection negotiation code path. An attacker who can connect to a PostgreSQL AF_UNIX socket can trigger this recursion to exhaust stack or memory resources, causing a denial of service. If both SSL and GSS are disabled, the same attack is achievable via a TCP socket connection, broadening the attack surface to network-accessible instances. The fix is tracked in the PostgreSQL git repository (PostgreSQL Git, GitHub Advisory).
Successful exploitation results in a sustained denial of service, crashing or hanging the PostgreSQL database service and preventing legitimate users and applications from accessing the database. There is no confidentiality or integrity impact — the vulnerability is limited to availability. Affected deployments include any PostgreSQL instance in the 14.x–18.x range that exposes an AF_UNIX socket (always) or a TCP socket when SSL/GSS is disabled (GitHub Advisory, PostgreSQL Security).
PostgreSQL has released patched versions: 18.4, 17.10, 16.14, 15.18, and 14.23. Upgrading to one of these versions is the primary recommended remediation (PostgreSQL Release). As a temporary workaround, enabling SSL or GSS authentication mitigates the TCP socket attack vector by requiring authentication during connection negotiation. Additionally, restricting network access to PostgreSQL TCP sockets via firewall rules and limiting local AF_UNIX socket access to trusted users reduces exposure. Linux distribution vendors including SUSE, openSUSE, Debian, Ubuntu, and Amazon Linux have also released updated packages (SUSE Advisory).
The PostgreSQL project disclosed this CVE as part of a coordinated release addressing 11 CVEs simultaneously in May 2026, which drew notable community attention (thebuild.com Blog). Security news outlets including GBHackers, CyberSecurityNews, and SecurityOnline covered the broader PostgreSQL security update, highlighting the scope of the release (SecurityOnline). The oss-security mailing list also received a disclosure notification (oss-sec). Notably, the CVE was credited to Anthropic, reflecting an AI-assisted vulnerability discovery (Anthropic-Credited CVEs).
Source: Ce rapport a été généré à l’aide de l’IA
Évaluation gratuite des vulnérabilités
Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.
Obtenez une démo personnalisée
"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."