CVE-2026-6474

MEDIUM4.3EPSS 0.03%

PostgreSQL timeofday() can disclose portions of server memory

Published: 5/14/2026Modified: 5/25/2026

Description

Externally-controlled format string in PostgreSQL timeofday() function allows an attacker to retrieve portions of server memory, via crafted timezone zones. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

Affected packages (9)

Alpine/postgresql15from 0, < 15.18-r0
Alpine/postgresql16from 0, < 16.14-r0
Alpine/postgresql17from 0, < 17.10-r0
Alpine/postgresql18from 0, < 18.4-r0
Bitnami/postgresqlfrom 0, < 14.23.0, >= 15.0.0, < 15.18.0, >= 16.0.0, < 16.14.0, >= 17.0.0, < 17.10.0, >= 18.0.0, < 18.4.0
Debian/postgresql-13from 0
Debian/postgresql-15from 0, < 15.18-0+deb12u1
Debian/postgresql-17from 0, < 17.10-0+deb13u1
Debian/postgresql-18from 0, < 18.4-1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References (4)

ADVISORYhttps://security.alpinelinux.org/vuln/CVE-2026-6474
ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2026-6474
WEBhttps://nvd.nist.gov/vuln/detail/CVE-2026-6474
WEBhttps://www.postgresql.org/support/security/CVE-2026-6474/