PostgreSQL Vulnerability CVE-2026-6473 Allows Remote Code Execution

/HIGH /CVSS 8.8/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycwe-190
PostgreSQL Vulnerability CVE-2026-6473 Allows Remote Code Execution

The National Vulnerability Database has disclosed CVE-2026-6473, a critical integer wraparound vulnerability affecting multiple features within PostgreSQL server. This flaw allows an unprivileged database user to trigger an allocation undersizing, leading to an out-of-bounds write. The direct consequence is the potential for arbitrary code execution as the operating system user running the database, a severe risk for any environment relying on PostgreSQL.

This vulnerability is particularly concerning for applications that handle gigabyte-scale user inputs passed to vulnerable database functions. While the National Vulnerability Database notes this could cause a segmentation fault for the application input provider, the primary threat remains remote code execution on the database server itself. Versions prior to PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are impacted, making a broad range of deployments vulnerable.

Defenders must prioritize patching these PostgreSQL versions immediately. Given the CVSS score of 8.8 (HIGH) and the potential for unauthenticated attackers (PR:L) to gain full control (C:H/I:H/A:H) via the network (AV:N), this is not a vulnerability to defer. Organizations should audit their PostgreSQL installations and apply the necessary updates across all production and staging environments to mitigate the risk of compromise.

What This Means For You

  • If your organization runs PostgreSQL versions prior to 18.4, 17.10, 16.14, 15.18, or 14.23, you must patch immediately. This vulnerability allows an unprivileged database user to execute arbitrary code on your server, posing a direct threat to your infrastructure.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1059.004 Command and Scripting Interpreter: Unix Shell Execution T1218.004 Signed Binary Proxy Execution: Signed Client DLL Defense Evasion

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

CVE-2026-6473 PostgreSQL Integer Wraparound RCE - Process Creation

Sigma YAML — free preview 
title: CVE-2026-6473 PostgreSQL Integer Wraparound RCE - Process Creation
id: scw-2026-05-14-ai-1
status: experimental
level: critical
description: |
  Detects potential exploitation of CVE-2026-6473 by monitoring PostgreSQL processes (postgres.exe) that are invoked with specific internal catalog table names which are known to be vulnerable to integer wraparound. This could indicate an unprivileged user attempting to trigger out-of-bounds writes for remote code execution.
author: SCW Feed Engine (AI-generated)
date: 2026-05-14
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-6473/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: process_creation
detection:
  selection:
      Image|contains:
          - 'postgres.exe'
      CommandLine|contains:
          - 'pg_catalog.pg_type'
          - 'pg_catalog.pg_attribute'
          - 'pg_catalog.pg_proc'
      condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-6473 RCE PostgreSQL server versions before 18.4, 17.10, 16.14, 15.18, and 14.23
CVE-2026-6473 Memory Corruption Integer wraparound in multiple PostgreSQL server features
CVE-2026-6473 DoS Segmentation fault when passing gigabyte-scale user inputs to PostgreSQL database functions

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 14, 2026 at 17:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-44482: SoundCloud Client RCE via Malicious Track Metadata

CVE-2026-44482 — soundcloud-rpc is a SoundCloud Client with Discord Rich Presence, Dark Mode, Last.fm and AdBlock support. Prior to 0.1.8, a track title containing an...

vulnerabilityCVEcriticalhigh-severitycwe-20cwe-79cwe-94cwe-862
/SCW Vulnerability Desk /CRITICAL /9.6 /⚑ 4 IOCs /⚙ 3 Sigma

Nerdbank.MessagePack Stack Overflow Vulnerability (CVE-2026-44375) Patched

CVE-2026-44375 — Nerdbank.MessagePack is a NativeAOT-compatible MessagePack serialization library. Prior to 1.1.62, Nerdbank.MessagePack contains an uncontrolled stack allocation vulnerability in DateTime decoding. A malicious MessagePack...

vulnerabilityCVEhigh-severitycwe-789
/SCW Vulnerability Desk /HIGH /7.5 /⚑ 3 IOCs /⚙ 2 Sigma

CVE-2026-44374 — Information Disclosure

CVE-2026-44374 — Backstage is an open framework for building developer portals. Prior to 0.6.11, the unprocessed entities read endpoints in @backstage/plugin-catalog-backend-module-unprocessed do not enforce permission...

vulnerabilityCVEmedium-severityinformation-disclosurecwe-863
/SCW Vulnerability Desk /MEDIUM /4.3 /⚑ 2 IOCs /⚙ 3 Sigma