What is the CVSS score of CVE-2026-6637?

CVE-2026-6637 has a CVSS 3.1 base score of 8.8 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

How to fix or mitigate CVE-2026-6637?

Within 24 hours: Inventory all PostgreSQL deployments and identify running versions (query 'SELECT version();'). Within 7 days: Apply vendor patches immediately upon availability-monitor PostgreSQL security advisories for releases 14.24, 15.19, 16.15, 17.11, and 18.5. Within 30 days: Audit and restrict low-privilege database user accounts; disable the refint module if not in active use via commenting in shared_preload_libraries configuration; implement network-level access controls limiting database connections to application servers only.

PostgreSQL CVE-2026-6637

Q: Which versions of PostgreSQL are affected by CVE-2026-6637?

A stack buffer overflow in PostgreSQL's refint module (CVE-2026-6637, CVSS 8.8) allows low-privileged database users to execute arbitrary code with database server operating system privileges,…. A patch is available.

EUVD-2026-30291 HIGH

Stack-based Buffer Overflow (CWE-121)

2026-05-14 PostgreSQL

GHSA-96xx-m79q-xh44

RCE Buffer Overflow SQLi PostgreSQL Stack Overflow Suse

8.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Patch available

May 14, 2026 - 15:01 EUVD

Analysis Generated

May 14, 2026 - 14:02 vuln.today

CVE Published

May 14, 2026 - 13:00 nvd

HIGH 8.8

DescriptionNVD

Stack buffer overflow in PostgreSQL module "refint" allows an unprivileged database user to execute arbitrary code as the operating system user running the database. A distinct attack is possible if the application declares a user-controlled column as a "refint" cascade primary key and facilitates user-controlled updates to that column. In that case, a SQL injection allows a primary key update value provider to execute arbitrary SQL as the database user performing the primary key update. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

AnalysisAI

Stack buffer overflow in PostgreSQL's refint module allows low-privileged database users to execute arbitrary code as the database operating system user across all supported versions before 14.23, 15.18, 16.14, 17.10, and 18.4. The vulnerability enables two distinct attack paths: direct stack overflow leading to OS-level code execution, and SQL injection when applications expose user-controlled columns configured as refint cascade primary keys. …

RemediationAI

Within 24 hours: Inventory all PostgreSQL deployments and identify running versions (query 'SELECT version();'). Within 7 days: Apply vendor patches immediately upon availability-monitor PostgreSQL security advisories for releases 14.24, 15.19, 16.15, 17.11, and 18.5. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

More from same product – last 7 days

CVE-2026-9256 HIGH This Week

8.1 May 22

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows unauthenticated remote attackers

Vendor StatusVendor

CVE-2026-6637 vulnerability details – vuln.today

Back

PostgreSQL CVE-2026-6637

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

More from same product – last 7 days

Vendor StatusVendor

Share

External POC / Exploit Code