CVE-2026-6575

MEDIUM4.3EPSS 0.03%

PostgreSQL pg_restore_attribute_stats accepts values that cause query planning to read past end of stats array

Published: 5/14/2026Modified: 5/25/2026

Description

Buffer over-read in PostgreSQL function pg_restore_attribute_stats() accepts array values of unmatched length, which causes query planning to read past end of one array. This allows a table maintainer to infer memory values past that array end. Within major version 18, minor versions before PostgreSQL 18.4 are affected. Versions before PostgreSQL 18 are unaffected.

Affected packages (3)

Alpine/postgresql18from 0, < 18.4-r0
Bitnami/postgresql>= 18.0.0, < 18.4.0
Debian/postgresql-18from 0, < 18.4-1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References (4)

ADVISORYhttps://security.alpinelinux.org/vuln/CVE-2026-6575
ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2026-6575
WEBhttps://nvd.nist.gov/vuln/detail/CVE-2026-6575
WEBhttps://www.postgresql.org/support/security/CVE-2026-6575/