CVE-2026-6473 Affecting postgresql16-plpython package, versions <16.14-160000.1.1


Severity

Recommended
0.0
high
0
10

Based on SUSE Linux Enterprise Server security rating.

Threat Intelligence

Social Trends
EPSS
0.67% (48th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-SLES1600-POSTGRESQL16PLPYTHON-17439246
  • published24 Jun 2026
  • disclosed19 Jun 2026

Introduced: 19 Jun 2026

NewCVE-2026-6473  (opens in a new tab)

How to fix?

Upgrade SLES:16.0.0 postgresql16-plpython to version 16.14-160000.1.1 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream postgresql16-plpython package and not the postgresql16-plpython package as distributed by SLES. See How to fix? for SLES:16.0.0 relevant fixed versions and status.

Integer wraparound in multiple PostgreSQL server features allows an unprivileged database user to cause the server to undersize an allocation and write out-of-bounds. This may execute arbitrary code as the operating system user running the database. In applications that pass gigabyte-scale user inputs to the relevant database functions, the application input provider may achieve a segmentation fault. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

CVSS Base Scores

version 3.1