Christophe Pettus: Eleven CVEs Walk Into a Release

The May 2026 PostgreSQL patch stream represents the most aggressive security update in the project's history, bundling eleven CVEs—three of them scoring 8.8 on the CVSS scale—across all supported branches. These vulnerabilities span core server logic, client libraries, and backup utilities, highlighting a shift toward addressing deep‑seated memory‑corruption flaws that can be triggered by malicious servers. For enterprises that rely on PostgreSQL for mission‑critical workloads, the advisory underscores the necessity of immediate patch deployment to avoid remote code execution or data loss.

Among the critical issues, CVE‑2026‑6473 exploits integer wraparound to cause out‑of‑bounds writes, while CVE‑2026‑6477 in libpq enables a hostile server to corrupt client‑side memory during pg_dump or psql operations. Equally concerning, CVE‑2026‑6475 allows pg_basebackup and pg_rewind to follow symlinks, potentially overwriting arbitrary files such as a user’s .bashrc before the server restarts. These attack vectors assume a hostile server—a scenario many organizations consider unlikely but must now guard against by restricting dump operations to trusted hosts and reviewing backup workflows for symlink exposure.

Beyond the headline CVEs, the release patches silent‑behavior bugs that could erode data accuracy, including incorrect results with nondeterministic collations and improper MERGE serialization failures. The fix for logical replication slot workers removes a failover blocker that previously stalled standby promotions. With PostgreSQL 14 slated for end‑of‑life in November 2026, firms still on that branch face a narrow window to upgrade. The combined security and stability improvements make this release a pivotal moment for database teams to audit configurations, validate authentication mechanisms, and accelerate migration plans to supported versions.