vulnerability

PostgreSQL: CVE-2026-6474: PostgreSQL timeofday() can disclose portions of server memory

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
4	(AV:N/AC:L/Au:S/C:P/I:N/A:N)	May 14, 2026	May 14, 2026	May 17, 2026

Severity

CVSS

(AV:N/AC:L/Au:S/C:P/I:N/A:N)

Published

May 14, 2026

Added

May 14, 2026

Modified

May 17, 2026

Description

Externally-controlled format string in PostgreSQL timeofday() function allows an attacker to retrieve portions of server memory, via crafted timezone zones. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

Solutions

postgres-upgrade-14_23postgres-upgrade-15_18postgres-upgrade-16_14postgres-upgrade-17_10postgres-upgrade-18_4

References

CVE-2026-6474
https://attackerkb.com/topics/CVE-2026-6474
CWE-134
EUVD-EUVD-2026-30280
https://euvd.enisa.europa.eu/vulnerability/EUVD-2026-30280

Rapid7 Labs

2026 Global Threat Landscape Report

The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.

Get report