CVE-2026-6474

PostgreSQL timeofday() can disclose portions of server memory

Published: 5/14/2026 Last updated: 5/14/2026 Reserved: 4/17/2026

Externally-controlled format string in PostgreSQL timeofday() function allows an attacker to retrieve portions of server memory, via crafted timezone zones. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

CNA assigner: PostgreSQL (f86ef6dc-4d3a-42ad-8f28-e6d5547a5007) Requested by: n/a

Metrics

Version	Score	Severity	Vector String
3.1	4.3	Medium	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Opam packages affected (5)

conf-mingw-w64-postgresql-i686 conf-mingw-w64-postgresql-x86_64 conf-postgresql ocsigen-start postgresql

Products affected (1)

Product	Vendor	Version
PostgreSQL	n/a	2018.011.20063 and earlier, 2017.011.30102 and earlier, and 2015.006.30452 and earlier versions

References (1)

https://www.postgresql.org/support/security/CVE-2026-6474/

Credits (1)

The PostgreSQL project thanks Xint Code for reporting this problem.