Cyber Resilience

CVE-2026-6473

HighUpdated

Published: 14 May 2026

Published
14 May 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0067 47.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-6473 is a high-severity Integer Overflow or Wraparound (CWE-190) vulnerability in Postgresql Postgresql. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 47.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Integer wraparound in multiple PostgreSQL server features allows an unprivileged database user to cause the server to undersize an allocation and write out-of-bounds. This may execute arbitrary code as the operating system user running the database. In applications that pass…

more

gigabyte-scale user inputs to the relevant database functions, the application input provider may achieve a segmentation fault. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Integer wraparound leads to out-of-bounds write enabling arbitrary code execution as the DB OS user (T1068) via exploitation of the PostgreSQL server (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-2004Same product: Postgresql Postgresql
CVE-2026-6476Same product: Postgresql Postgresql
CVE-2026-2006Same product: Postgresql Postgresql
CVE-2026-2007Same product: Postgresql Postgresql
CVE-2026-6637Same product: Postgresql Postgresql
CVE-2026-2005Same product: Postgresql Postgresql
CVE-2026-6475Same product: Postgresql Postgresql
CVE-2026-6479Same product: Postgresql Postgresql
CVE-2026-6477Same product: Postgresql Postgresql
CVE-2025-41726Shared CWE-190

Affected Assets

postgresql
postgresql
≤ 14.23 · 15.0 — 15.18 · 16.0 — 16.14

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References