vulnerability
FreeBSD: VID-bbb18fcb-7f0d-11ee-94b4-6cc21735f730 (CVE-2023-5870): postgresql-server -- Role pg_cancel_backend can signal certain superuser processes
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 3 | (AV:N/AC:M/Au:M/C:N/I:N/A:P) | Nov 9, 2023 | Dec 10, 2025 | Dec 10, 2025 |
Severity
3
CVSS
(AV:N/AC:M/Au:M/C:N/I:N/A:P)
Published
Nov 9, 2023
Added
Dec 10, 2025
Modified
Dec 10, 2025
Description
PostgreSQL Project reports: Documentation says the pg_cancel_backend role cannot signal "a backend owned by a superuser". On the contrary, it can signal background workers, including the logical replication launcher. It can signal autovacuum workers and the autovacuum launcher. Signaling autovacuum workers and those two launchers provides no meaningful exploit, so exploiting this vulnerability requires a non-core extension with a less-resilient background worker. For example, a non-core background worker that does not auto-restart would experience a denial of service with respect to that particular background worker.
Solution
freebsd-upgrade-package-postgresql-server
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.