CVE-2026-6575 — PostgreSQL pg_restore_attribute_stats accepts values that cause query planning t

Description

Buffer over-read in PostgreSQL function pg_restore_attribute_stats() accepts array values of unmatched length, which causes query planning to read past end of one array. This allows a table maintainer to infer memory values past that array end. Within major version 18, minor versions before PostgreSQL 18.4 are affected. Versions before PostgreSQL 18 are unaffected.

How to fix CVE-2026-6575

To remediate CVE-2026-6575, upgrade the affected package to a fixed version below.

—upgrade to 18.4-r0 or later
—upgrade to 18.4.0 or later
—upgrade to 18.4-1 or later

Is CVE-2026-6575 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

from 0, < 18.4-r0
>= 18.0.0, < 18.4.0
from 0, < 18.4-1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References (4)

ADVISORYsecurity.alpinelinux.org/vuln/CVE-2026-6575
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2026-6575
WEBnvd.nist.gov/vuln/detail/CVE-2026-6575
WEBwww.postgresql.org/support/security/CVE-2026-6575/