Skip to content

PostgreSQL: Updates Patch High-Risk Security Flaws

(Image: Sashkin/Shutterstock.com). With new PostgreSQL releases, developers are closing multiple security vulnerabilities, some of which are highly risky. In the PostgreSQL database, several security holes allow attackers to inject SQL commands, among other things. Updated software is now available. IT administrators should update quickly. The developers of PostgreSQL write in a version announcement [1] that the newly available versions 18.4, 17.10, 16.14, 15.18, and 14.23 fix a total of eleven vulnerabilities. Several of them come very close to being classified as a critical security flaw. An integer underflow in multiple functions allows attackers to allocate memory areas that are too small and write outside the intended memory boundaries – this leads to segmentation faults (crashes) (CVE-2026-6473, CVSS 8.8, risk “high”). An origin superuser can overwrite local files such as “/var/lib/postgres/.bashrc” due to a symlink traversal vulnerability in pg_basebackup and pg_rewind, thus taking over the account in the operating system (CVE-2026-6475, CVSS 8.8, risk “high”). Another vulnerability allows server superusers to overwrite client memory on the stack (CVE-2026-6477, CVSS 8.8, risk “high”). Finally, a stack-based buffer overflow in refint allows database users with low privileges to execute arbitrary code as the database user in the operating system; in addition, a SQL injection attack is possible (CVE-2026-6637, CVSS 8.8, risk “high”). Two further vulnerabilities are classified by the developers as high risk, four as medium threat level, and one as low risk. Numerous bug fixes. In addition to the eleven vulnerabilities, developers correct more than 60 errors in the updated packages. The version announcement lists 24 of them, which particularly affect PostgreSQL [2] 18. Current installer packages for the major operating systems and several Linux distributions can be found on the PostgreSQL project’s download page [3]. (dmk [5]). URL of this article:. https://www.heise.de/-11297485. Links in this article:. https://www.postgresql.org/about/news/postgresql-184-1710-1614-1518-and-1423-released-3297/. https://www.heise.de/thema/PostgreSQL. https://www.postgresql.org/download/. https://pro.heise.de/security/?LPID=39555_HS1L0001_27416_999_0&wt_mc=disp.fd.security-pro.security_pro24.disp.disp.disp. mailto:dmk@heise.de. Copyright © 2026 Heise Medien

heise security News

Share on: