Initiatives pour
En tant qu'autorité nationale en matière de cybersécurité, le CCB a développé plusieurs initiatives destinées à des publics spécifiques, qui sont présentées ici.
Warning: PostgreSQL patches multiple vulnerabilities and announces EOL date for version 14, Patch Immediately!
Image
Publié : 20/05/2026
- Last update: 19/05/2026
- Affected software:
→ PostgreSQL versions before 18.4, 17.10, 16.14, 15.18, and 14.23- Type: From Remote Code Execution, SQL Injection to Denial of Service
- CVE/CVSS
→ CVE-2026-6473: CVSS 8.8 (CVSS:3.1/ AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
→ CVE-2026-6475: CVSS 8.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
→ CVE-2026-6477: CVSS 8.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
→ CVE-2026-6637: CVSS 8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Sources
PostgreSQL - <https://www.postgresql.org/about/news/postgresql-184-1710-1614-1518-and-1423-released-3297/>
Risks
PostgreSQL is the world's most widely deployed open-source relational database. Its ubiquity makes it a high-value target: compromising a PostgreSQL instance typically means compromising application data, credentials, and in many configurations, the underlying host.
This release addresses 11 CVEs, four of which carry a CVSS score of 8.8, the threshold for Critical. As of the advisory date, no public proof-of-concept exploit code has been confirmed for these specific CVEs, and no known active exploitation in the wild has been reported. However, the attack surface is broad and the vulnerability types (stack overflows, integer wraparound, SQL injection) are well-understood by offensive security practitioners, meaning working exploits could be developed rapidly once the patch difference is analysed.
In the PostgreSQL advisory further importance is given on the fact that PostgreSQL version 14 will reach End-Of-Life on November 12 2026.
Description
CVE-2026-6473 - Integer Wraparound / Out-of-Bounds Write
Multiple server features fail to guard against integer overflow in size calculations, allowing an attacker who can supply application input to cause an undersized heap allocation. The server then writes past the end of that buffer, resulting in a segmentation fault or, with careful heap manipulation, potential code execution.
CVE-2026-6637 - refint Stack Buffer Overflow & SQL Injection
The refint contrib module (referential integrity triggers) contains a fixed-size stack buffer that can be overflowed by a long column name. An unprivileged database user can trigger this to execute arbitrary code as the OS user running PostgreSQL. A secondary SQL injection path exists when applications expose user-controlled refint cascade primary key columns.
CVE-2026-6477 - libpq lo_ Client Stack Buffer Overflow
The PQfn() function used internally by lo_export(), lo_read(), lo_lseek64(), and lo_tell64() stores server-returned data of arbitrary length into an unspecified-size stack buffer, analogous to the deprecated gets() function. A malicious or compromised server can overflow the client stack when these functions are called, affecting psql and pg_dump.
CVE-2026-6475 - pg_basebackup / pg_rewind Symlink Following
Symlink following in pg_basebackup (plain format) and pg_rewind allows an origin server superuser to overwrite arbitrary files on the machine running the utility, such as shell profile files, which can be used to hijack the OS account when the server process subsequently starts.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.
PostgreSQL 14 End-of-Life Notice
PostgreSQL 14 will receive its final update release on 12 November 2026. Organizations still running PostgreSQL 14 in production should plan their upgrade to a supported major version (15, 16, 17, or 18) before that date.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity and ensure a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via https://ccb.belgium.be/en/cert/report-incident.
While patching appliances or software to the newest version may protect against future exploitation, it does not remediate historic compromise.
References
NVD - https://nvd.nist.gov/vuln/detail/CVE-2026-6473
NVD - https://nvd.nist.gov/vuln/detail/CVE-2026-6475
NVD - https://nvd.nist.gov/vuln/detail/CVE-2026-6477
NVD - https://nvd.nist.gov/vuln/detail/CVE-2026-6637