Integer Wraparound Vulnerability in PostgreSQL Database Software
CVE-2026-6473

8.8HIGH

Key Information:

Vendor: PostgreSQL
Status: Postgresql
Vendor: CVE Published:; 14 May 2026

What is CVE-2026-6473?

An integer wraparound vulnerability exists in various features of PostgreSQL server, allowing unprivileged users to manipulate memory allocations. This can lead to out-of-bounds writes, potentially executing arbitrary code with the privileges of the operating system user running the database. The issue is particularly severe when processing large user inputs, which may result in application crashes or unintended code execution. Affected versions must be updated to mitigate the risk.

Affected Version(s)

PostgreSQL 18 < 18.4

PostgreSQL 17 < 17.10

PostgreSQL 16 < 16.14

References

https://www.postgresql.org/support/security/CVE-2026-6473/

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 14, 2026
Vulnerability Reserved
Apr 17, 2026

Credit

The PostgreSQL project thanks Anemone, A1ex, Xint Code, Jihe Wang, Jingzhou Fu, Pavel Kohout, Petr Simecek, www.aisle.com, Bruce Dang of Calif.io, and Sven Klemm for reporting this problem.

CVE-2026-6473 Data

JSON