Stack Buffer Overflow in PostgreSQL 'refint' Module Affects Database Functionality
CVE-2026-6637

8.8HIGH

Key Information:

Vendor: PostgreSQL
Status: Postgresql
Vendor: CVE Published:; 14 May 2026

What is CVE-2026-6637?

A stack buffer overflow vulnerability exists in the 'refint' module of PostgreSQL, which can be exploited by an unprivileged database user. If a user-controlled column is declared as a 'refint' cascade primary key, and updates to that column are allowed, an attacker may leverage a SQL injection to execute arbitrary SQL commands as the database user. This vulnerability poses a significant risk, enabling unauthorized code execution in the context of the operating system user running the database. Users are advised to upgrade to PostgreSQL versions 18.4, 17.10, 16.14, 15.18, and 14.23 or later to mitigate potential exploitation.

Affected Version(s)

PostgreSQL 18 < 18.4

PostgreSQL 17 < 17.10

PostgreSQL 16 < 16.14

References

https://www.postgresql.org/support/security/CVE-2026-6637/

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 14, 2026
Vulnerability Reserved
Apr 19, 2026

Credit

The PostgreSQL project thanks Nikolay Samokhvalov for reporting this problem.

CVE-2026-6637 Data

JSON