CVE-2026-14178
Deferred Deferred - Pending Action

Heap-use-after-free in openGauss to_timestamp

Publication date: 2026-06-30

Last updated on: 2026-06-30

Assigner: openGauss Community

Description
openGauss 在处理带 NLS 参数的 to_timestamp 调用时,to_timestamp_with_fmt_nls() 会将 nls_fmt_str 保存到 u_sess->parser_cxt.nls_fmt_str。在 seqscan + sort 执行路径下,该字符串原本被分配在 SeqScan 的表达式上下文中;当 SeqScan 完成后,该内存上下文会被 reset,但后续结果输出阶段 timestamp_out() 仍会通过 CheckNlsFormat() 访问 u_sess->parser_cxt.nls_fmt_str,导致访问已释放内存。攻击者在具备数据库 SQL 执行权限的情况下,可构造特定 to_timestamp(..., ..., nlsparam) 查询触发 heap-use-after-free。在 ASan/Memcheck 环境下表现为数据库服务退出;在实际运行环境中可能造成后端进程异常退出,影响数据库服务可用性,形成拒绝服务风险。该问题在openGauss-server-7.0.0-RC1版本和openGauss-server-7.0.0-RC2版本存在,目前已在openGauss-server-7.0.0-RC3版本修复。由于 openGauss-server-7.0.0-RC1版本和openGauss-server-7.0.0-RC2均为创新版本,不会发布针对性补丁包,涉及版本升级至 openGauss-server-7.0.0-RC3或更新版本即可。

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-30
Last Modified
2026-06-30
Generated
2026-06-30
AI Q&A
2026-06-30
EPSS Evaluated
N/A
NVD
CVE-2026-14178
EUVD
EUVD-2026-40326

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
opengauss opengauss-server to 7.0.0-RC3 (exc)
opengauss opengauss-server 7.0.0-RC3

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in openGauss when handling to_timestamp calls with NLS parameters. Specifically, the function to_timestamp_with_fmt_nls() saves the nls_fmt_str into a session parser context. During the seqscan + sort execution path, this string is allocated in the SeqScan expression context, which is reset after SeqScan completes. However, later stages still access this freed memory, causing a heap-use-after-free condition.

An attacker with SQL execution permissions can craft a specific to_timestamp query with an nlsparam to trigger this use-after-free. In memory-checking environments, this causes the database service to exit; in real environments, it may cause backend process crashes, leading to denial of service.

This issue affects openGauss-server versions 7.0.0-RC1 and 7.0.0-RC2 and is fixed in version 7.0.0-RC3.

Compliance Impact

The vulnerability in openGauss causes a denial of service risk by potentially crashing backend database processes due to a heap-use-after-free issue when handling certain to_timestamp calls with NLS parameters.

However, there is no information provided in the context or resources about any direct impact on data confidentiality, integrity, or privacy that would affect compliance with standards such as GDPR or HIPAA.

Since the vulnerability primarily affects availability through denial of service, it may indirectly impact compliance if database service availability is a regulatory requirement, but no explicit compliance implications are stated.

Impact Analysis

The vulnerability can cause backend processes of the openGauss database to crash unexpectedly, leading to denial of service (DoS). This impacts the availability of the database service.

In environments with memory checking tools like ASan or Memcheck, the database service may exit immediately upon triggering the vulnerability.

Attackers need SQL execution permissions to exploit this, so the risk depends on the access control of the database.

Detection Guidance

This vulnerability manifests as a heap-use-after-free error triggered by specific to_timestamp(..., ..., nlsparam) SQL queries in openGauss versions 7.0.0-RC1 and 7.0.0-RC2.

Detection can be done by monitoring database logs and backend process behavior for abnormal exits or crashes, especially after executing to_timestamp calls with NLS parameters.

Since the issue occurs when executing crafted SQL queries, you can attempt to detect it by running controlled test queries that use to_timestamp with NLS parameters and observe if the database service crashes or backend processes exit unexpectedly.

No specific commands or network detection signatures are provided in the available information.

Mitigation Strategies

The vulnerability is fixed in openGauss-server version 7.0.0-RC3 and later.

Immediate mitigation involves upgrading from openGauss-server 7.0.0-RC1 or 7.0.0-RC2 to version 7.0.0-RC3 or a newer release.

Since no patch is provided for the affected versions, upgrading is the only effective mitigation.

Additionally, restricting or monitoring SQL execution permissions to prevent untrusted users from running crafted to_timestamp queries with NLS parameters may reduce risk until upgrade is performed.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-14178. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart