CVE-2026-6637 PUBLISHED

PostgreSQL refint allows stack buffer overflow and SQL injection

Assigner: PostgreSQL
Reserved: 19.04.2026 Published: 14.05.2026 Updated: 15.05.2026

Stack buffer overflow in PostgreSQL module "refint" allows an unprivileged database user to execute arbitrary code as the operating system user running the database. A distinct attack is possible if the application declares a user-controlled column as a "refint" cascade primary key and facilitates user-controlled updates to that column. In that case, a SQL injection allows a primary key update value provider to execute arbitrary SQL as the database user performing the primary key update. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS Score: 8.8

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	Low	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	n/a
Product	PostgreSQL
Versions	Default: unaffected affected from 18 to 18.4 (excl.) affected from 17 to 17.10 (excl.) affected from 16 to 16.14 (excl.) affected from 15 to 15.18 (excl.) affected from 0 to 14.23 (excl.)

Affected Configurations

superuser previously installed the refint extension

Credits

The PostgreSQL project thanks Nikolay Samokhvalov for reporting this problem.

References

https://www.postgresql.org/support/security/CVE-2026-6637/

Problem Types

Stack-based Buffer Overflow CWE
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') CWE