PostgreSQL June Security Releases!

Security release!

  • Prevent unbounded recursion while processing startup packets (Michael Paquier) §

    A malicious client could crash the connected backend by alternating rejected SSL and GSS encryption requests indefinitely.

    The PostgreSQL Project thanks Calif.io (in collaboration with Claude and Anthropic Research) for reporting this problem. (CVE-2026-6479)

  • Fix assorted integer overflows in memory-allocation calculations (Tom Lane, Nathan Bossart, Heikki Linnakangas) § § § § § § § § §

    Various places were incautious about the possibility of integer overflow in calculations of how much memory to allocate. Overflow would lead to allocating a too-small buffer which the caller would then write past the end of. This would at least trigger server crashes, and probably could be exploited for arbitrary code execution. In many but by no means all cases, the hazard exists only in 32-bit builds.

    The PostgreSQL Project thanks Xint Code, Bruce Dang, Sven Klemm, and Pavel Kohout for reporting these problems. (CVE-2026-6473)

  • Properly quote subscription names in pg_createsubscriber (Nathan Bossart) §

    The given subscription name was inserted into SQL commands without quoting, so that SQL injection could be achieved in the (perhaps unlikely) case that the subscription name comes from an untrusted source.

    The PostgreSQL Project thanks Yu Kunpeng for reporting this problem. (CVE-2026-6476)

  • Properly quote object names in logical replication origin checks (Pavel Kohout) §

    ALTER SUBSCRIPTION ... REFRESH PUBLICATION interpolated schema and relation names into SQL commands without quoting them, allowing execution of arbitrary SQL on the publisher.

    The PostgreSQL Project thanks Pavel Kohout for reporting this problem. (CVE-2026-6638)

  • Reject over-length options in ts_headline() (Michael Paquier) §

    The StartSel, StopSel and FragmentDelimiter strings must not exceed 32Kb in length, but this was not checked for. An over-length value would typically crash the server.

    The PostgreSQL Project thanks Xint Code for reporting this problem. (CVE-2026-6473)

  • Detect faulty input when restoring attribute MCV statistics (Michael Paquier) §

    The statistics restore functions were insufficiently careful about validating most-common-value statistics, and would accept values that could crash the planner later on.

    The PostgreSQL Project thanks Jeroen Gui for reporting this problem. (CVE-2026-6575)

  • Guard against malicious time zone names in timeofday() and pg_strftime() (Tom Lane) § §

    A crafted time zone setting could pass % sequences to snprintf(), potentially causing crashes or disclosure of server memory. Another path to similar results was to overflow the limited-size output buffer used by pg_strftime().

    The PostgreSQL Project thanks Xint Code for reporting this problem. (CVE-2026-6474)

  • When creating a multirange type, ensure the user has CREATE privilege on the schema specified for the multirange type (Jelte Fennema-Nio) §

    The multirange type can be put into a different schema than its parent range type, but we neglected to apply the required privilege check when doing so.

    The PostgreSQL Project thanks Jelte Fennema-Nio for reporting this problem. (CVE-2026-6472)

Our Supporters

OCH
Jet Brains
AM Graphix
Simplify your web
codium
Joomdonation

Sorry, this website uses features that your browser doesn't support. Upgrade to a newer version of Firefox, Chrome, Safari, or Edge and you'll be all set.