CVE-2026-6477: PostgreSQL libpq Vulnerability Allows Superuser Client Stack Overwrite
The National Vulnerability Database has detailed CVE-2026-6477, a high-severity vulnerability (CVSS 8.8) affecting PostgreSQL’s libpq library. The issue stems from the PQfn(..., result_is_int=0, ...) function within lo_export(), lo_read(), lo_lseek64(), and lo_tell64() functions. This function, similar to gets(), stores server-determined data of arbitrary length into a client-side buffer of unspecified size.
This flaw allows a PostgreSQL server superuser to overwrite a client’s stack buffer with an arbitrarily large response. Critically, both the \lo_export command in psql and the pg_dump utility call lo_read(). This means a malicious superuser can exploit this to overwrite memory in pg_dump or psql clients. Defenders need to understand that this isn’t a remote code execution against the server, but rather a powerful client-side attack if a superuser account is compromised or malicious.
Versions prior to PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are impacted. This is a classic buffer overflow scenario (CWE-242) that, while requiring superuser privileges on the server, can lead to significant client-side compromise or denial of service for administrative tools. The attacker’s calculus here is to leverage a compromised database superuser account to further compromise administrative workstations or backup systems.
What This Means For You
- If your organization uses PostgreSQL, immediately identify all instances running versions prior to 18.4, 17.10, 16.14, 15.18, and 14.23. Patch these systems to the latest secure versions to mitigate CVE-2026-6477. Also, review your superuser account management and monitor any unusual activity originating from `psql` or `pg_dump` clients.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-6477: PostgreSQL libpq Stack Buffer Overflow via lo_export
title: CVE-2026-6477: PostgreSQL libpq Stack Buffer Overflow via lo_export
id: scw-2026-05-14-ai-1
status: experimental
level: critical
description: |
Detects the execution of pg_dump, a tool that calls the vulnerable lo_read function, which can be exploited by a malicious PostgreSQL server superuser to overwrite client stack memory. This rule specifically targets the execution of pg_dump which is susceptible to this vulnerability when interacting with a compromised PostgreSQL server.
author: SCW Feed Engine (AI-generated)
date: 2026-05-14
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-6477/
tags:
- attack.lateral_movement
- attack.t1210
logsource:
category: process_creation
detection:
selection:
Image|startswith:
- 'C:\Program Files\PostgreSQL\'
CommandLine|contains:
- 'pg_dump'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-6477 | Vulnerability | CVE-2026-6477 |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 14, 2026 at 17:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-44482: SoundCloud Client RCE via Malicious Track Metadata
CVE-2026-44482 — soundcloud-rpc is a SoundCloud Client with Discord Rich Presence, Dark Mode, Last.fm and AdBlock support. Prior to 0.1.8, a track title containing an...
Nerdbank.MessagePack Stack Overflow Vulnerability (CVE-2026-44375) Patched
CVE-2026-44375 — Nerdbank.MessagePack is a NativeAOT-compatible MessagePack serialization library. Prior to 1.1.62, Nerdbank.MessagePack contains an uncontrolled stack allocation vulnerability in DateTime decoding. A malicious MessagePack...
CVE-2026-44374 — Information Disclosure
CVE-2026-44374 — Backstage is an open framework for building developer portals. Prior to 0.6.11, the unprocessed entities read endpoints in @backstage/plugin-catalog-backend-module-unprocessed do not enforce permission...