—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256

Multiple Vulnerabilities in PostgreSQL

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: HIGH

Software Affected

PostgreSQL 14 versions prior to 14.23

PostgreSQL 15 versions prior to 15.18

PostgreSQL 16 versions prior to 16.14

PostgreSQL 17 versions prior to 17.10

PostgreSQL 18 versions prior to 18.4

Overview

Multiple vulnerabilities have been reported in PostgreSQL, which could allow an attacker to execute arbitrary SQL commands, disclose sensitive information, overwrite files, escalate privileges, cause denial of service, or execute arbitrary code on the targeted system.

Target Audience:

All end-user organizations and individuals using PostgreSQL applications.

Risk Assessment:

High risk of remote code execution, privilege escalation, denial of service, sensitive information disclosure.

Impact Assessment:

Potential for remote code execution, privilege escalation, denial of service and/or disclosure of sensitive information.

Description

PostgreSQL is an open-source, object-relational database management system (ORDBMS) that is widely used for managing and storing structured data.

Multiple vulnerabilities have been reported in PostgreSQL due to missing authorization checks, integer wraparound, externally controlled format string handling, symlink following, SQL injection flaws, unsafe memory handling, uncontrolled recursion, buffer over-read, stack buffer overflow, and timing-channel issues in PostgreSQL server components, client library functions, utilities, authentication handling, and replication-related functionality.

Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary SQL commands, disclose sensitive information, overwrite files, escalate privileges, cause denial of service, or execute arbitrary code on the targeted system.

Solution

Apply appropriate updates as mentioned by the vendor:

https://www.postgresql.org/about/news/postgresql-184-1710-1614-1518-and-1423-released-3297/

Vendor Information

PostgreSQL

https://www.postgresql.org/support/security/

References

 

https://www.postgresql.org/about/news/postgresql-184-1710-1614-1518-and-1423-released-3297/

CVE Name

CVE-2026-6472

CVE-2026-6473

CVE-2026-6474

CVE-2026-6475

CVE-2026-6476

CVE-2026-6477

CVE-2026-6478

CVE-2026-6479

CVE-2026-6575

CVE-2026-6637

CVE-2026-6638

– —

Thanks and Regards,

CERT-In

Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–

iQJPBAEBCAA5FiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmoRrRkbFIAAAAAABAAO

bWFudTIsMi41KzEuMTIsMiwxAAoJEN4woHEnXMrPY+IP/juPWn2AfE9bgKi9j0oO

7wcgbVohqvDMSY/+YYKHYxlGSVg0lax5UsYF8ir8MHu6Kf0NXwd8ywMDdzOzwWKc

H1tv7fdgrIeW7uBlDqXsOjqj1QMSIQ+i39gTvTdfT93YVPB6EuPtE7XLDH5r/VtX

TgFBx4wVPjJhq8hmgPAd2Y7beAXn38PuZpHvRFsH1zUsZd5VVn0lCI4eWaGer1le

0nZRWBYAwmjN48b89w92zCizuWfu2gyQONdZ+PjryL0cAbXgC6LUqn8ldo62uVeb

SZmikEYd02iky2J93ZyN37oh65EEdxPVZWGWF0zfeqQhBhjc0ZNGM/njQFpkaj2v

xT/O3gyb29E6UxbuDEpcnxDXLsQrZdrcePuQqSFbwZiec35GJ3+NzZLI8BihsTt9

MWdQNXXdwdQvZnuNRJk0soEJhZcPrm4E48bsfWmoNCcT9LVvZK3u7jYmlzQeu/AR

0x8tFkzGGT+92X/bmuCpG0H0WRgVdGKNFmZTJlNg4bvYf7a+UNKYjmyybDnooCGt

RSZeypXTrZd7UYx72bLFEMXtBzoq+GWX2WC9+plQS4qe56VEFeQ51Z8dU0Kt+vbF

qBQWqwDusjCgda3gWmThXqfuuQaMP2NljhqRSdRjg23u7W4NNVOprM6OOyr6mSle

iSG8TDcHgs4t34hQgLXFXGxB

=6EfG

—–END PGP SIGNATURE—–