An update for postgresql is now available for openEuler-24.03-LTS-SP3 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2026-2414 Final 1.0 1.0 2026-05-22 Initial 2026-05-22 2026-05-22 openEuler SA Tool V1.0 2026-05-22 postgresql security update An update for postgresql is now available for openEuler-24.03-LTS-SP3 PostgreSQL is an advanced Object-Relational database management system (DBMS). The base postgresql package contains the client programs that you'll need to access a PostgreSQL DBMS server, as well as HTML documentation for the whole system. These client programs can be located on the same machine as the PostgreSQL server, or on a remote machine that accesses a PostgreSQL server over a network connection. The PostgreSQL server can be found in the postgresql-server sub-package. Security Fix(es): Missing authorization in PostgreSQL CREATE TYPE allows an object creator to hijack other queries that use search_path to find user-defined types, including extension-defined types. That is to say, the victim will execute arbitrary SQL functions of the attacker's choice. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.(CVE-2026-6472) Integer wraparound in multiple PostgreSQL server features allows an unprivileged database user to cause the server to undersize an allocation and write out-of-bounds. This may execute arbitrary code as the operating system user running the database. In applications that pass gigabyte-scale user inputs to the relevant database functions, the application input provider may achieve a segmentation fault. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.(CVE-2026-6473) Externally-controlled format string in PostgreSQL timeofday() function allows an attacker to retrieve portions of server memory, via crafted timezone zones. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.(CVE-2026-6474) Symlink following in PostgreSQL pg_basebackup plain format and in pg_rewind allows an origin superuser to overwrite local files, e.g. /var/lib/postgres/.bashrc, that hijack the operating system account. It will remain the case that starting the server after these commands implicitly trusts the origin superuser, due to features like shared_preload_libraries. Hence, the attack has practical implications only if one takes relevant action between these commands and server start, like moving the files to a different VM or snapshotting the VM. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.(CVE-2026-6475) Use of inherently dangerous function PQfn(..., result_is_int=0, ...) in PostgreSQL libpq lo_export(), lo_read(), lo_lseek64(), and lo_tell64() functions allows the server superuser to overwrite a client stack buffer with an arbitrarily-large response. Like gets(), PQfn(..., result_is_int=0, ...) stores arbitrary-length, server-determined data into a buffer of unspecified size. Because both the \lo_export command in psql and pg_dump call lo_read(), the server superuser can overwrite pg_dump or psql stack memory. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.(CVE-2026-6477) Covert timing channel in comparison of MD5-hashed password in PostgreSQL authentication allows an attacker to recover user credentials sufficient to authenticate. This does not affect scram-sha-256 passwords, the default in all supported releases. However, current databases may have MD5-hashed passwords originating in upgrades from PostgreSQL 13 or earlier. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.(CVE-2026-6478) Uncontrolled recursion in PostgreSQL SSL and GSS negotiation allows an attacker able to connect to a PostgreSQL AF_UNIX socket to achieve sustained denial of service. If SSL and GSS are both disabled, an attacker can do the same via access to a PostgreSQL TCP socket. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.(CVE-2026-6479) Stack buffer overflow in PostgreSQL module "refint" allows an unprivileged database user to execute arbitrary code as the operating system user running the database. A distinct attack is possible if the application declares a user-controlled column as a "refint" cascade primary key and facilitates user-controlled updates to that column. In that case, a SQL injection allows a primary key update value provider to execute arbitrary SQL as the database user performing the primary key update. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.(CVE-2026-6637) An update for postgresql is now available for openEuler-20.03-LTS-SP4/openEuler-22.03-LTS-SP4/openEuler-24.03-LTS-SP3. openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. High postgresql https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2414 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-6472 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-6473 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-6474 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-6475 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-6477 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-6478 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-6479 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-6637 https://nvd.nist.gov/vuln/detail/CVE-2026-6472 https://nvd.nist.gov/vuln/detail/CVE-2026-6473 https://nvd.nist.gov/vuln/detail/CVE-2026-6474 https://nvd.nist.gov/vuln/detail/CVE-2026-6475 https://nvd.nist.gov/vuln/detail/CVE-2026-6477 https://nvd.nist.gov/vuln/detail/CVE-2026-6478 https://nvd.nist.gov/vuln/detail/CVE-2026-6479 https://nvd.nist.gov/vuln/detail/CVE-2026-6637 openEuler-24.03-LTS-SP3 postgresql-15.18-1.oe2403sp3.aarch64.rpm postgresql-contrib-15.18-1.oe2403sp3.aarch64.rpm postgresql-debuginfo-15.18-1.oe2403sp3.aarch64.rpm postgresql-debugsource-15.18-1.oe2403sp3.aarch64.rpm postgresql-docs-15.18-1.oe2403sp3.aarch64.rpm postgresql-llvmjit-15.18-1.oe2403sp3.aarch64.rpm postgresql-plperl-15.18-1.oe2403sp3.aarch64.rpm postgresql-plpython3-15.18-1.oe2403sp3.aarch64.rpm postgresql-pltcl-15.18-1.oe2403sp3.aarch64.rpm postgresql-private-devel-15.18-1.oe2403sp3.aarch64.rpm postgresql-private-libs-15.18-1.oe2403sp3.aarch64.rpm postgresql-server-15.18-1.oe2403sp3.aarch64.rpm postgresql-server-devel-15.18-1.oe2403sp3.aarch64.rpm postgresql-static-15.18-1.oe2403sp3.aarch64.rpm postgresql-test-15.18-1.oe2403sp3.aarch64.rpm postgresql-15.18-1.oe2403sp3.src.rpm postgresql-15.18-1.oe2403sp3.x86_64.rpm postgresql-contrib-15.18-1.oe2403sp3.x86_64.rpm postgresql-debuginfo-15.18-1.oe2403sp3.x86_64.rpm postgresql-debugsource-15.18-1.oe2403sp3.x86_64.rpm postgresql-docs-15.18-1.oe2403sp3.x86_64.rpm postgresql-llvmjit-15.18-1.oe2403sp3.x86_64.rpm postgresql-plperl-15.18-1.oe2403sp3.x86_64.rpm postgresql-plpython3-15.18-1.oe2403sp3.x86_64.rpm postgresql-pltcl-15.18-1.oe2403sp3.x86_64.rpm postgresql-private-devel-15.18-1.oe2403sp3.x86_64.rpm postgresql-private-libs-15.18-1.oe2403sp3.x86_64.rpm postgresql-server-15.18-1.oe2403sp3.x86_64.rpm postgresql-server-devel-15.18-1.oe2403sp3.x86_64.rpm postgresql-static-15.18-1.oe2403sp3.x86_64.rpm postgresql-test-15.18-1.oe2403sp3.x86_64.rpm postgresql-test-rpm-macros-15.18-1.oe2403sp3.noarch.rpm Missing authorization in PostgreSQL CREATE TYPE allows an object creator to hijack other queries that use search_path to find user-defined types, including extension-defined types. That is to say, the victim will execute arbitrary SQL functions of the attacker's choice. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected. 2026-05-22 CVE-2026-6472 openEuler-24.03-LTS-SP3 Medium 5.4 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N postgresql security update 2026-05-22 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2414 Integer wraparound in multiple PostgreSQL server features allows an unprivileged database user to cause the server to undersize an allocation and write out-of-bounds. This may execute arbitrary code as the operating system user running the database. In applications that pass gigabyte-scale user inputs to the relevant database functions, the application input provider may achieve a segmentation fault. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected. 2026-05-22 CVE-2026-6473 openEuler-24.03-LTS-SP3 High 8.8 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H postgresql security update 2026-05-22 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2414 Externally-controlled format string in PostgreSQL timeofday() function allows an attacker to retrieve portions of server memory, via crafted timezone zones. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected. 2026-05-22 CVE-2026-6474 openEuler-24.03-LTS-SP3 Medium 4.3 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N postgresql security update 2026-05-22 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2414 Symlink following in PostgreSQL pg_basebackup plain format and in pg_rewind allows an origin superuser to overwrite local files, e.g. /var/lib/postgres/.bashrc, that hijack the operating system account. It will remain the case that starting the server after these commands implicitly trusts the origin superuser, due to features like shared_preload_libraries. Hence, the attack has practical implications only if one takes relevant action between these commands and server start, like moving the files to a different VM or snapshotting the VM. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected. 2026-05-22 CVE-2026-6475 openEuler-24.03-LTS-SP3 High 8.8 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H postgresql security update 2026-05-22 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2414 Use of inherently dangerous function PQfn(..., result_is_int=0, ...) in PostgreSQL libpq lo_export(), lo_read(), lo_lseek64(), and lo_tell64() functions allows the server superuser to overwrite a client stack buffer with an arbitrarily-large response. Like gets(), PQfn(..., result_is_int=0, ...) stores arbitrary-length, server-determined data into a buffer of unspecified size. Because both the \lo_export command in psql and pg_dump call lo_read(), the server superuser can overwrite pg_dump or psql stack memory. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected. 2026-05-22 CVE-2026-6477 openEuler-24.03-LTS-SP3 High 8.8 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H postgresql security update 2026-05-22 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2414 Covert timing channel in comparison of MD5-hashed password in PostgreSQL authentication allows an attacker to recover user credentials sufficient to authenticate. This does not affect scram-sha-256 passwords, the default in all supported releases. However, current databases may have MD5-hashed passwords originating in upgrades from PostgreSQL 13 or earlier. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected. 2026-05-22 CVE-2026-6478 openEuler-24.03-LTS-SP3 Medium 6.5 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N postgresql security update 2026-05-22 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2414 Uncontrolled recursion in PostgreSQL SSL and GSS negotiation allows an attacker able to connect to a PostgreSQL AF_UNIX socket to achieve sustained denial of service. If SSL and GSS are both disabled, an attacker can do the same via access to a PostgreSQL TCP socket. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected. 2026-05-22 CVE-2026-6479 openEuler-24.03-LTS-SP3 High 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H postgresql security update 2026-05-22 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2414 Stack buffer overflow in PostgreSQL module "refint" allows an unprivileged database user to execute arbitrary code as the operating system user running the database. A distinct attack is possible if the application declares a user-controlled column as a "refint" cascade primary key and facilitates user-controlled updates to that column. In that case, a SQL injection allows a primary key update value provider to execute arbitrary SQL as the database user performing the primary key update. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected. 2026-05-22 CVE-2026-6637 openEuler-24.03-LTS-SP3 High 8.8 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H postgresql security update 2026-05-22 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2414