PostgreSQL Recursion CVE-2026-6479: SSL/GSS DoS pre-18.4,17.10,16.14,15.18,14.23
CVE-2026-6479 Published on May 14, 2026
PostgreSQL SSL/GSS init causes denial of service, via uncontrolled recursion
Uncontrolled recursion in PostgreSQL SSL and GSS negotiation allows an attacker able to connect to a PostgreSQL AF_UNIX socket to achieve sustained denial of service. If SSL and GSS are both disabled, an attacker can do the same via access to a PostgreSQL TCP socket. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.
Weakness Type
What is a Stack Exhaustion Vulnerability?
The product does not properly control the amount of recursion which takes place, consuming excessive resources, such as allocated memory or the program stack.
CVE-2026-6479 has been classified to as a Stack Exhaustion vulnerability or weakness.
Products Associated with CVE-2026-6479
stack.watch emails you whenever new vulnerabilities are published in PostgreSQL or Canonical Ubuntu Linux. Just hit a watch button to start following.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.