Christophe Pettus: What Else Is In There?

The PostgreSQL community disclosed a critical flaw in the legacy refint extension (CVE‑2026‑6637) on May 14. The bug combines a stack‑buffer overflow with an SQL‑injection vector, allowing any unprivileged database role to execute arbitrary commands as the operating‑system user that runs the server. With a CVSS score of 8.8, the issue is classified as high severity. The immediate remedy is to apply the minor‑release patches released for versions 14.23, 15.18, 16.14, 17.10 and 18.4, and to drop the refint extension if it is not required.

Beyond the headline, the incident highlights a chronic blind spot in many PostgreSQL deployments: undocumented extensions that survive major‑version upgrades via pg_upgrade. Because the contrib tree is effectively a museum of historic modules, teams often inherit utilities such as tsm_system_rows, intagg, or third‑party add‑ons like pg_repack without ever cataloguing them. These forgotten components expand the attack surface, complicate patch management, and can introduce supply‑chain vulnerabilities that go unnoticed until a CVE forces a review.

The remedy is systematic rather than reactive. Database administrators should run a regular inventory query against pg_extension and pg_available_extensions, cross‑checking results with an approved list maintained by a dedicated owner. Unexplained extensions must be investigated, documented, or removed with DROP EXTENSION CASCADE. Embedding this audit into image‑build pipelines or quarterly compliance cycles turns extension management into a repeatable control. By treating extensions as third‑party dependencies, organizations gain supply‑chain hygiene and reduce the likelihood that legacy code will become a future security liability.