CVE-2026-6637
PostgreSQL refint allows stack buffer overflow and SQL injection
Description
Stack buffer overflow in PostgreSQL module "refint" allows an unprivileged database user to execute arbitrary code as the operating system user running the database. A distinct attack is possible if the application declares a user-controlled column as a "refint" cascade primary key and facilitates user-controlled updates to that column. In that case, a SQL injection allows a primary key update value provider to execute arbitrary SQL as the database user performing the primary key update. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.
How to fix CVE-2026-6637
To remediate CVE-2026-6637, upgrade the affected package to a fixed version below.
- —upgrade to 15.18-r0 or later
- —upgrade to 16.14-r0 or later
- —upgrade to 17.10-r0 or later
- —upgrade to 18.4-r0 or later
- —upgrade to 14.23.0 or later
- —no fix listed
- —upgrade to 15.18-0+deb12u1 or later
- —upgrade to 17.10-0+deb13u1 or later
- —upgrade to 18.4-1 or later
Is CVE-2026-6637 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (9)
- from 0, < 15.18-r0
- from 0, < 16.14-r0
- from 0, < 17.10-r0
- from 0, < 18.4-r0
- from 0, < 14.23.0, >= 15.0.0, < 15.18.0, >= 16.0.0, < 16.14.0, >= 17.0.0, < 17.10.0, >= 18.0.0, < 18.4.0
- from 0
- from 0, < 15.18-0+deb12u1
- from 0, < 17.10-0+deb13u1
- from 0, < 18.4-1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.8 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |