First Published: 2026/06/22
Important: This is an assessment of the impact of CVE-2026-6477 on EDB products and services. It links to and details the CVE and supplements that information with EDB's own assessment.
Summary
Use of inherently dangerous function PQfn(..., result_is_int=0, ...) in PostgreSQL libpq lo_export(), lo_read(), lo_lseek64(), and lo_tell64() functions allows the server superuser to overwrite a client stack buffer with an arbitrarily-large response. Like gets(), PQfn(..., result_is_int=0, ...) stores arbitrary-length, server-determined data into a buffer of unspecified size. Because both the \lo_export command in psql and pg_dump call lo_read(), the server superuser can overwrite pg_dump or psql stack memory. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.
Vulnerability details
CVE-ID: CVE-2026-6477
CVE Publish Date: 2026/05/14
CVSS Base Score: 8.8
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected products and versions
PostgreSQL
- All versions prior to 18.4
- All versions prior to 17.10
- All versions prior to 16.14
- All versions prior to 15.18
- All versions prior to 14.23
EnterpriseDB Postgres Advanced Server (EPAS)
- All versions prior to 18.4
- All versions prior to 17.10
- All versions prior to 16.14.0
- All versions prior to 15.18.0
- All versions prior to 14.23.0
EnterpriseDB Postgres Extended (PGE)
- All versions prior to 18.4
- All versions prior to 17.10
- All versions prior to 16.14
- All versions prior to 15.18
- All versions prior to 14.23
CloudNativePG
- All operand versions prior to 18.4
- All operand versions prior to 17.10
- All operand versions prior to 16.14
- All operand versions prior to 15.18
- All operand versions prior to 14.23
WarehousePG
- All 6.x versions prior to 6.27.5
- All 7.2.x versions prior to 7.2.4
- All 7.3.x versions prior to 7.3.2
- All 7.4.x versions prior to 7.4.1
Remediation/fixes
EDB Postgres Extended Server
| Affected Version | Fixed In | Fix Published |
|---|---|---|
| prior to 18.4.0 | 18.4.0 | 2026-05-14 |
| prior to 17.10 | 17.10 | 2026-05-14 |
| prior to 16.14 | 16.14 | 2026-05-14 |
| prior to 15.18 | 15.18 | 2026-05-14 |
| prior to 14.23 | 14.23 | 2026-05-14 |
EDB Postgres Advanced Server
| Affected Version | Fixed In | Fix Published |
|---|---|---|
| prior to 18.4 | 18.4 | 2026-05-14 |
| prior to 17.10 | 17.10 | 2026-05-14 |
| prior to 16.14.0 | 16.14.0 | 2026-05-14 |
| prior to 15.18.0 | 15.18.0 | 2026-05-14 |
| prior to 14.23.0 | 14.23.0 | 2026-05-14 |
CloudNativePG
Customer should update to the fixed version of the PostgreSQL operands.
WarehousePG
WarehousePG fixes are available in the following versions:
| Affected Version | Fixed In | Fix Published |
|---|---|---|
| All 6.x prior to 6.27.5 | 6.27.5-WHPG | 2026-06-15 |
| All 7.2.x prior to 7.2.4 | 7.2.4-WHPG | 2026-06-15 |
| All 7.3.x prior to 7.3.2 | 7.3.2-WHPG | 2026-06-15 |
| All 7.4.x prior to 7.4.1 | 7.4.1-WHPG | 2026-06-15 |
| Development (main) prior to 7.5.0 | 7.5.0-WHPG | 2026-06-08 |
References
- CVSS Calculator v3.1
- NVD - CVE-2026-6477 Detail
- https://www.postgresql.org/support/security/CVE-2026-6477/
- CWE-242 Use of Inherently Dangerous Function
Related information
Acknowledgement
Source: PostgreSQL.org
Change history
22 June 2026: Updated WarehousePG remediation with released fix versions
04 June 2026: Added WarehousePG as an affected product
27 May 2026: Added CloudNativePG as an affected product
14 May 2026: Original Copy Published
Disclaimer
This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document is at your own risk. EDB reserves the right to change or update this document at any time. Customers are therefore recommended to always view the latest version of this document.