Copyright © 2012 Red Hat, Inc. All rights reserved. Moderate 2026-05-14T13:00:10 postgresql: PostgreSQL: Information disclosure via externally-controlled format string in timeofday() function 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CWE-134

Externally-controlled format string in PostgreSQL timeofday() function allows an attacker to retrieve portions of server memory, via crafted timezone zones. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

A flaw was found in PostgreSQL. This vulnerability, an externally-controlled format string in the `timeofday()` function, allows a remote attacker to craft specific timezone zones. Successful exploitation can lead to the retrieval of sensitive portions of server memory, potentially disclosing confidential information.

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability. Red Hat Hardened Images 2026-06-03T00:00:00Z RHSA-2026:22878 postgresql18-main-18.4-0.1.hum1 Red Hat Enterprise Linux 10 Fix deferred postgresql16 Red Hat Enterprise Linux 10 Fix deferred postgresql18 Red Hat Enterprise Linux 6 Fix deferred postgresql Red Hat Enterprise Linux 7 Fix deferred postgresql Red Hat Enterprise Linux 8 Fix deferred postgresql:12/postgresql Red Hat Enterprise Linux 8 Fix deferred postgresql:13/postgresql Red Hat Enterprise Linux 8 Fix deferred postgresql:15/postgresql Red Hat Enterprise Linux 8 Fix deferred postgresql:16/postgresql Red Hat Enterprise Linux 9 Fix deferred postgresql Red Hat Enterprise Linux 9 Fix deferred postgresql:15/postgresql Red Hat Enterprise Linux 9 Fix deferred postgresql:16/postgresql Red Hat Enterprise Linux 9 Fix deferred postgresql:18/postgresql https://www.cve.org/CVERecord?id=CVE-2026-6474 https://nvd.nist.gov/vuln/detail/CVE-2026-6474 https://www.postgresql.org/support/security/CVE-2026-6474/