CVE-2026-6575
PostgreSQL 취약성 분석 및 완화

개요

CVE-2026-6575 is a buffer over-read vulnerability in the PostgreSQL function pg_restore_attribute_stats(), which accepts array values of unmatched length, causing query planning to read past the end of one array. This allows an authenticated table maintainer to infer memory values beyond the intended array boundaries. Only PostgreSQL major version 18 is affected; specifically, minor versions before 18.4. Versions prior to PostgreSQL 18 are unaffected. It carries a CVSS v3.1 base score of 4.3 (Medium) (GitHub Advisory, PostgreSQL Advisory).

기술적 세부 사항

The root cause is classified as CWE-126 (Buffer Over-read): the pg_restore_attribute_stats() function fails to validate that input arrays are of matching length before passing them to the query planner, which then reads past the end of one of the arrays (GitHub Advisory). The attack vector is network-based and requires low privileges — specifically, the attacker must hold table maintainer privileges on the target database. No user interaction is required. The fix is available in the PostgreSQL git repository as commit 6d6348f0329dd50ba9f954df28c2ffa88a15df07 (PostgreSQL Git).

영향

Successful exploitation results in a limited memory disclosure: an authenticated table maintainer can infer the contents of memory locations beyond the intended array boundary during query planning. The impact is confined to confidentiality (low), with no integrity or availability consequences. There is no evidence that this vulnerability enables privilege escalation, lateral movement, or arbitrary code execution (GitHub Advisory, PostgreSQL Advisory).

착취 단계

  1. Identify target: Confirm the target PostgreSQL instance is running major version 18 with a minor version before 18.4.
  2. Obtain table maintainer privileges: The attacker must already hold or acquire table maintainer (e.g., table owner) privileges on a target database, either through legitimate access or credential compromise.
  3. Craft malicious call: Invoke pg_restore_attribute_stats() with array arguments of deliberately mismatched lengths to trigger the buffer over-read during query planning.
  4. Infer memory contents: Observe query planner behavior or error output to infer values from memory locations beyond the intended array boundary, potentially exposing sensitive in-memory data.

Note: No public PoC or detailed exploitation technique has been published; these steps are based on the vulnerability description (GitHub Advisory, PostgreSQL Advisory).

타협의 징후

  • Logs: PostgreSQL server logs showing repeated or unusual calls to pg_restore_attribute_stats() with mismatched array parameters, potentially accompanied by query planner warnings or errors.
  • Database Activity: Queries from table maintainer accounts invoking pg_restore_attribute_stats() with atypical argument patterns outside of normal maintenance windows.
  • Network: Unexpected or high-frequency connections from low-privileged database users performing attribute statistics restoration operations.

완화 및 해결 방법

The primary remediation is to upgrade PostgreSQL 18 to version 18.4 or later, which contains the fix (PostgreSQL Release News, PostgreSQL Release Notes). As a workaround, restrict the pg_restore_attribute_stats() function and table maintenance privileges to only fully trusted users. Monitor for unusual invocations of this function as a detection measure. PostgreSQL versions prior to 18 are not affected and require no action.

커뮤니티 반응

The vulnerability was disclosed as part of the PostgreSQL May 2026 security release, which addressed 11 CVEs simultaneously, drawing coverage from security news outlets including SecurityOnline, CyberPress, GBHackers, and CybersecurityNews (SecurityOnline, GBHackers). Community blog posts such as "Eleven CVEs Walk Into a Release" on thebuild.com provided analysis of the full release (TheBuild Blog). Downstream distributions including openSUSE, Ubuntu, and Amazon Linux 2023 issued their own security advisories incorporating the PostgreSQL 18.4 update. Overall community sentiment treated this specific CVE as low-severity given its limited scope and the requirement for existing privileges.

추가 자료


근원이 보고서는 AI를 사용하여 생성되었습니다.

관련 PostgreSQL 취약점:

CVE ID

심각도

점수

기술

구성 요소 이름

CISA KEV 익스플로잇

수정 사항이 있습니다.

게시된 날짜

CVE-2026-6638HIGH8.8
  • PostgreSQL logoPostgreSQL
  • postgresql:16::postgresql-private-devel
아니요May 14, 2026
CVE-2026-6637HIGH8.8
  • PostgreSQL logoPostgreSQL
  • postgresql17-pltcl
아니요May 14, 2026
CVE-2026-6479HIGH7.5
  • PostgreSQL logoPostgreSQL
  • postgresql14-pltcl
아니요May 14, 2026
CVE-2026-6478MEDIUM6.5
  • PostgreSQL logoPostgreSQL
  • postgresql16
아니요May 14, 2026
CVE-2026-6575MEDIUM4.3
  • PostgreSQL logoPostgreSQL
  • postgresql18-server-devel-debuginfo
아니요May 14, 2026

무료 취약성 평가

클라우드 보안 태세를 벤치마킹합니다

9개의 보안 도메인에서 클라우드 보안 관행을 평가하여 위험 수준을 벤치마킹하고 방어의 허점을 식별합니다.

평가 요청

추가 Wiz 리소스

맞춤형 데모 받기

맞춤형 데모 신청하기

"내가 본 최고의 사용자 경험은 클라우드 워크로드에 대한 완전한 가시성을 제공합니다."
데이비드 에슬릭최고정보책임자(CISO)
"Wiz는 클라우드 환경에서 무슨 일이 일어나고 있는지 볼 수 있는 단일 창을 제공합니다."
아담 플레처최고 보안 책임자(CSO)
"우리는 Wiz가 무언가를 중요한 것으로 식별하면 실제로 중요하다는 것을 알고 있습니다."
그렉 포니아토프스키위협 및 취약성 관리 책임자