PostgreSQL Patches Six Critical Vulnerabilities in USN-8294-1
Ubuntu's latest security notice addresses six PostgreSQL vulnerabilities spanning authorization bypass, denial of service, information disclosure, and arbitrary code execution. Organizations running PostgreSQL should prioritize patching to mitigate active attack vectors.
TL;DR
- CREATE TYPE authorization bypass (CVE-2026-6472) allows attackers to execute arbitrary SQL functions
- Large input handling flaws (CVE-2026-6473) can crash PostgreSQL or enable remote code execution
- Format string bug in timeofday() (CVE-2026-6474) leaks sensitive information to unauthenticated users
- Symbolic link following in pg_basebackup and pg_rewind (CVE-2026-6475) enables local file overwrite and code execution
- SQL injection in pg_createsubscriber (CVE-2026-6476) allows superuser-level command execution on Ubuntu 25.10 and 26.04 LTS
Canonical has released security notice USN-8294-1 addressing six distinct vulnerabilities in PostgreSQL that span multiple severity levels and attack vectors. These flaws affect core database functionality, backup utilities, and replication tools, creating compounded risk for organizations relying on PostgreSQL for production workloads.
The vulnerabilities range from privilege escalation and authorization bypass to denial of service and remote code execution. Several issues require minimal attacker privileges or can be exploited remotely, making timely patching essential for database administrators and application security teams.
Critical Authorization and Execution Flaws
- CVE-2026-6472: CREATE TYPE authorization enforcement bypass permits attackers to execute arbitrary SQL functions beyond their assigned permissions
- CVE-2026-6476: SQL injection vulnerability in pg_createsubscriber allows superuser-level SQL execution; affects Ubuntu 25.10 and 26.04 LTS
- Both flaws represent privilege escalation vectors that bypass intended access controls
Input Handling and Information Disclosure Issues
- CVE-2026-6473: Improper handling of large user input across multiple server features causes crashes (DoS) or remote code execution
- CVE-2026-6474: Format string vulnerability in timeofday() function allows information disclosure of sensitive data
- CVE-2026-6475: Unsafe symbolic link handling in pg_basebackup and pg_rewind enables local file overwrite and arbitrary code execution
Remediation and Risk Assessment
- Apply USN-8294-1 patches immediately to all affected PostgreSQL installations across Ubuntu distributions
- Prioritize systems running Ubuntu 25.10 and 26.04 LTS due to additional pg_createsubscriber SQL injection risk
- Review database user permissions and audit CREATE TYPE operations for unauthorized schema modifications
- Monitor backup and replication processes (pg_basebackup, pg_rewind) for suspicious file system activity
Sources
Sources
Security email updates
One digest email when we publish new security articles (TL;DR plus links to read more). Unsubscribe anytime from the message footer. See our Privacy Policy.