Description
Use of inherently dangerous function PQfn(..., result_is_int=0, ...) in PostgreSQL libpq lo_export(), lo_read(), lo_lseek64(), and lo_tell64() functions allows the server superuser to overwrite a client stack buffer with an arbitrarily-large response. Like gets(), PQfn(..., result_is_int=0, ...) stores arbitrary-length, server-determined data into a buffer of unspecified size. Because both the \lo_export command in psql and pg_dump call lo_read(), the server superuser can overwrite pg_dump or psql stack memory. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.
Problem types
Use of Inherently Dangerous Function
Credits
The PostgreSQL project thanks Yu Kunpeng and Martin Heistermann for reporting this problem.
References
access.redhat.com/security/cve/CVE-2026-6477
bugzilla.redhat.com/show_bug.cgi?id=2477442 (RHBZ#2477442)
security.access.redhat.com/...v2/vex/2026/cve-2026-6477.json
access.redhat.com/errata/RHSA-2026:27718
access.redhat.com/errata/RHSA-2026:27743
access.redhat.com/errata/RHSA-2026:27742
access.redhat.com/errata/RHSA-2026:27738
access.redhat.com/errata/RHSA-2026:26181
access.redhat.com/errata/RHSA-2026:34362
access.redhat.com/errata/RHSA-2026:34363
access.redhat.com/errata/RHSA-2026:29815
access.redhat.com/errata/RHSA-2026:32994
access.redhat.com/errata/RHSA-2026:35880
access.redhat.com/errata/RHSA-2026:34043
access.redhat.com/errata/RHSA-2026:26561
access.redhat.com/errata/RHSA-2026:33497
access.redhat.com/errata/RHSA-2026:29953
access.redhat.com/errata/RHSA-2026:33441
access.redhat.com/errata/RHSA-2026:26524
access.redhat.com/errata/RHSA-2026:29904
access.redhat.com/errata/RHSA-2026:32983
access.redhat.com/errata/RHSA-2026:26525
access.redhat.com/errata/RHSA-2026:29212
access.redhat.com/errata/RHSA-2026:28037
access.redhat.com/errata/RHSA-2026:26203
access.redhat.com/errata/RHSA-2026:26204
access.redhat.com/errata/RHSA-2026:27741
access.redhat.com/errata/RHSA-2026:21182
access.redhat.com/errata/RHSA-2026:22878
www.postgresql.org/support/security/CVE-2026-6477/