CVE-2026-6637

Description

Stack buffer overflow in PostgreSQL module "refint" allows an unprivileged database user to execute arbitrary code as the operating system user running the database. A distinct attack is possible if the application declares a user-controlled column as a "refint" cascade primary key and facilitates user-controlled updates to that column. In that case, a SQL injection allows a primary key update value provider to execute arbitrary SQL as the database user performing the primary key update. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

PostgreSQL < 18.4

PostgreSQL < 17.10

PostgreSQL < 16.14

PostgreSQL < 15.18

PostgreSQL < 14.23

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

-- PoC Concept for CVE-2026-6637
-- Scenario 1: SQL Injection via refint cascade primary key update
-- The application updates a primary key column managed by the refint module based on user input.

-- Malicious payload (SQL Injection)
-- Value: '1; DROP TABLE sensitive_data; --'

-- Vulnerable Query (Simulated)
-- UPDATE users SET user_id = '1; DROP TABLE sensitive_data; --' WHERE user_id = 1;

-- Scenario 2: Stack Buffer Overflow
-- Sending a specially crafted long string to trigger the overflow in the refint module.
-- Payload construction requires a specific length to overwrite the return address.
-- Example (Conceptual):
-- 'A' * 1000 + [Return Address]

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-6637
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-6637
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-6637/
[4] VulDB https://vuldb.com/cve/CVE-2026-6637
[5] https://www.postgresql.org/support/security/CVE-2026-6637/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-6637", "sourceIdentifier": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", "published": "2026-05-14T14:16:25.820", "lastModified": "2026-05-14T16:21:23.190", "vulnStatus": "Undergoing Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "Stack buffer overflow in PostgreSQL module \"refint\" allows an unprivileged database user to execute arbitrary code as the operating system user running the database.  A distinct attack is possible if the application declares a user-controlled column as a \"refint\" cascade primary key and facilitates user-controlled updates to that column.  In that case, a SQL injection allows a primary key update value provider to execute arbitrary SQL as the database user performing the primary key update.  Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected."}], "metrics": {"cvssMetricV31": [{"source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}, {"lang": "en", "value": "CWE-121"}]}], "references": [{"url": "https://www.postgresql.org/support/security/CVE-2026-6637/", "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007"}]}}