CVE-2026-6474
Analyzed
Analyzed - Analysis Complete
BaseFortify
Publication date: 2026-05-14
Last updated on: 2026-05-18
Assigner: PostgreSQL
Description
Description
Externally-controlled format string in PostgreSQL timeofday() function allows an attacker to retrieve portions of server memory, via crafted timezone zones. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| postgresql | postgresql | From 16.0 (inc) to 16.14 (exc) |
| postgresql | postgresql | From 17.0 (inc) to 17.10 (exc) |
| postgresql | postgresql | From 18.0 (inc) to 18.4 (exc) |
| postgresql | postgresql | From 15.0 (inc) to 15.18 (exc) |
| postgresql | postgresql | to 14.23 (exc) |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-134 | The product uses a function that accepts a format string as an argument, but the format string originates from an external source. |
Attack-Flow Graph
Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70