CVE-2026-6479
PostgreSQL Analyse et atténuation des vulnérabilités

Aperçu

CVE-2026-6479 is an uncontrolled recursion vulnerability in PostgreSQL's SSL and GSS negotiation logic that allows an attacker to cause a sustained denial of service. It affects PostgreSQL versions before 18.4, 17.10, 16.14, 15.18, and 14.23 across the 14.x through 18.x release branches. The vulnerability was published on May 14, 2026, with patches released the same day. It carries a CVSS v3.1 base score of 7.5 (High) (GitHub Advisory, PostgreSQL Security).

Détails techniques

The root cause is uncontrolled recursion (CWE-674) within PostgreSQL's SSL and GSS connection negotiation code path. An attacker who can connect to a PostgreSQL AF_UNIX socket can trigger this recursion to exhaust stack or memory resources, causing a denial of service. If both SSL and GSS are disabled, the same attack is achievable via a TCP socket connection, broadening the attack surface to network-accessible instances. The fix is tracked in the PostgreSQL git repository (PostgreSQL Git, GitHub Advisory).

Impact

Successful exploitation results in a sustained denial of service, crashing or hanging the PostgreSQL database service and preventing legitimate users and applications from accessing the database. There is no confidentiality or integrity impact — the vulnerability is limited to availability. Affected deployments include any PostgreSQL instance in the 14.x–18.x range that exposes an AF_UNIX socket (always) or a TCP socket when SSL/GSS is disabled (GitHub Advisory, PostgreSQL Security).

Atténuation et solutions de contournement

PostgreSQL has released patched versions: 18.4, 17.10, 16.14, 15.18, and 14.23. Upgrading to one of these versions is the primary recommended remediation (PostgreSQL Release). As a temporary workaround, enabling SSL or GSS authentication mitigates the TCP socket attack vector by requiring authentication during connection negotiation. Additionally, restricting network access to PostgreSQL TCP sockets via firewall rules and limiting local AF_UNIX socket access to trusted users reduces exposure. Linux distribution vendors including SUSE, openSUSE, Debian, Ubuntu, and Amazon Linux have also released updated packages (SUSE Advisory).

Réactions de la communauté

The PostgreSQL project disclosed this CVE as part of a coordinated release addressing 11 CVEs simultaneously in May 2026, which drew notable community attention (thebuild.com Blog). Security news outlets including GBHackers, CyberSecurityNews, and SecurityOnline covered the broader PostgreSQL security update, highlighting the scope of the release (SecurityOnline). The oss-security mailing list also received a disclosure notification (oss-sec). Notably, the CVE was credited to Anthropic, reflecting an AI-assisted vulnerability discovery (Anthropic-Credited CVEs).

Ressources additionnelles


SourceCe rapport a été généré à l’aide de l’IA

Apparenté PostgreSQL Vulnérabilités:

Identifiant CVE

Sévérité

Score

Technologies

Nom du composant

Exploit CISA KEV

A corrigé

Date de publication

CVE-2026-6638HIGH8.8
  • PostgreSQL logoPostgreSQL
  • postgresql16-private-libs
NonOuiMay 14, 2026
CVE-2026-6637HIGH8.8
  • PostgreSQL logoPostgreSQL
  • postgresql16
NonOuiMay 14, 2026
CVE-2026-6479HIGH7.5
  • PostgreSQL logoPostgreSQL
  • postgresql16-debugsource
NonOuiMay 14, 2026
CVE-2026-6478MEDIUM6.5
  • PostgreSQL logoPostgreSQL
  • postgresql18-upgrade-debuginfo
NonOuiMay 14, 2026
CVE-2026-6575MEDIUM4.3
  • PostgreSQL logoPostgreSQL
  • postgresql18-contrib
NonOuiMay 14, 2026

Évaluation gratuite des vulnérabilités

Évaluez votre posture de sécurité dans le cloud

Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.

Demander une évaluation

Obtenez une démo personnalisée

Prêt(e) à voir Wiz en action ?

"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
David EstlickRSSI
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
Adam FletcherChef du service de sécurité
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."
Greg PoniatowskiResponsable de la gestion des menaces et des vulnérabilités