PostgreSQL Denial-of-Service Vulnerability: CVE-2026-6479 Impacts Older Versions
The National Vulnerability Database has identified CVE-2026-6479, a critical denial-of-service vulnerability in PostgreSQL. This flaw stems from uncontrolled recursion during SSL and GSS negotiation. Attackers with the ability to connect to a PostgreSQL AF_UNIX socket can trigger a sustained DoS. If both SSL and GSS are disabled, the same attack can be launched via a TCP socket.
This vulnerability affects several older versions of PostgreSQL, specifically those prior to 18.4, 17.10, 16.14, 15.18, and 14.23. The high CVSS score of 7.5 highlights the significant impact this flaw can have on service availability.
Defenders must prioritize patching these vulnerable PostgreSQL instances immediately. Given the ease of triggering the DoS condition via socket access, organizations should also review access controls for their database sockets and consider network segmentation to limit potential attack vectors.
What This Means For You
- If your organization runs older versions of PostgreSQL (prior to 18.4, 17.10, 16.14, 15.18, and 14.23), you are at risk of a sustained denial-of-service attack. Patch these systems urgently and audit socket access controls to prevent attackers from disrupting database availability.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-6479 - PostgreSQL Uncontrolled Recursion DoS via AF_UNIX Socket
title: CVE-2026-6479 - PostgreSQL Uncontrolled Recursion DoS via AF_UNIX Socket
id: scw-2026-05-14-ai-1
status: experimental
level: high
description: |
Detects potential exploitation of CVE-2026-6479 by looking for PostgreSQL processes being launched with specific command-line arguments that might indicate an attempt to exploit the AF_UNIX socket vulnerability. This rule is designed for free tier detection and focuses on the initial access vector described in the vulnerability.
author: SCW Feed Engine (AI-generated)
date: 2026-05-14
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-6479/
tags:
- attack.impact
- attack.t1499
logsource:
category: process_creation
detection:
selection:
Image|startswith:
- 'postgres.exe'
CommandLine|contains:
- '--unix-socket-directories=' # This is a hypothetical indicator for the exploit targeting AF_UNIX sockets
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-6479 | DoS | PostgreSQL versions before 18.4 |
| CVE-2026-6479 | DoS | PostgreSQL versions before 17.10 |
| CVE-2026-6479 | DoS | PostgreSQL versions before 16.14 |
| CVE-2026-6479 | DoS | PostgreSQL versions before 15.18 |
| CVE-2026-6479 | DoS | PostgreSQL versions before 14.23 |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 14, 2026 at 17:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-44482: SoundCloud Client RCE via Malicious Track Metadata
CVE-2026-44482 — soundcloud-rpc is a SoundCloud Client with Discord Rich Presence, Dark Mode, Last.fm and AdBlock support. Prior to 0.1.8, a track title containing an...
Nerdbank.MessagePack Stack Overflow Vulnerability (CVE-2026-44375) Patched
CVE-2026-44375 — Nerdbank.MessagePack is a NativeAOT-compatible MessagePack serialization library. Prior to 1.1.62, Nerdbank.MessagePack contains an uncontrolled stack allocation vulnerability in DateTime decoding. A malicious MessagePack...
CVE-2026-44374 — Information Disclosure
CVE-2026-44374 — Backstage is an open framework for building developer portals. Prior to 0.6.11, the unprocessed entities read endpoints in @backstage/plugin-catalog-backend-module-unprocessed do not enforce permission...