CVE-2026-6474
PostgreSQL timeofday() can disclose portions of server memory
4.3
MEDIUM
CVSS 3.1
EPSS 0.03%
Description
Externally-controlled format string in PostgreSQL timeofday() function allows an attacker to retrieve portions of server memory, via crafted timezone zones. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.
How to fix CVE-2026-6474
To remediate CVE-2026-6474, upgrade the affected package to a fixed version below.
- —upgrade to 15.18-r0 or later
- —upgrade to 16.14-r0 or later
- —upgrade to 17.10-r0 or later
- —upgrade to 18.4-r0 or later
- —upgrade to 14.23.0 or later
- —no fix listed
- —upgrade to 15.18-0+deb12u1 or later
- —upgrade to 17.10-0+deb13u1 or later
- —upgrade to 18.4-1 or later
Is CVE-2026-6474 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (9)
- from 0, < 15.18-r0
- from 0, < 16.14-r0
- from 0, < 17.10-r0
- from 0, < 18.4-r0
- from 0, < 14.23.0, >= 15.0.0, < 15.18.0, >= 16.0.0, < 16.14.0, >= 17.0.0, < 17.10.0, >= 18.0.0, < 18.4.0
- from 0
- from 0, < 15.18-0+deb12u1
- from 0, < 17.10-0+deb13u1
- from 0, < 18.4-1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.3 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |