CVE-2026-6575 PUBLISHED

PostgreSQL pg_restore_attribute_stats accepts values that cause query planning to read past end of stats array

Assigner: PostgreSQL
Reserved: 19.04.2026 Published: 14.05.2026 Updated: 14.05.2026

Buffer over-read in PostgreSQL function pg_restore_attribute_stats() accepts array values of unmatched length, which causes query planning to read past end of one array. This allows a table maintainer to infer memory values past that array end. Within major version 18, minor versions before PostgreSQL 18.4 are affected. Versions before PostgreSQL 18 are unaffected.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CVSS Score: 4.3

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	Low
Privileges Required	Low	Integrity Impact	None
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	n/a
Product	PostgreSQL
Versions	Default: unaffected affected from 18 to 18.4 (excl.)

Affected Configurations

attacker has permission to create objects (temporary objects or non-temporary objects in at least one schema) or permission to maintain an existing table

Credits

The PostgreSQL project thanks Jeroen Gui for reporting this problem.

References

https://www.postgresql.org/support/security/CVE-2026-6575/

Problem Types

Buffer Over-read CWE