Detections
Analytics

FreeBSD : PostgreSQL -- Multiple vulnerabilities (7185ecc9-4fb7-11f1-bc50-6cc21735f730)

high Nessus Plugin ID 314914

Synopsis

The remote FreeBSD host is missing one or more security-related updates.

Description

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the 7185ecc9-4fb7-11f1-bc50-6cc21735f730 advisory.

 The PostgreSQL project reports:

 Missing authorization in PostgreSQL CREATE TYPE allows an object creator to hijack other queries that use search_path to find user-defined types, including extension-defined types. That is to say, the victim will execute arbitrary SQL functions of the attacker's choice.


 Integer wraparound in multiple PostgreSQL server features allows an application input provider to cause the server to undersize an allocation and write out-of-bounds. This results in a segmentation fault.


 Externally-controlled format string in PostgreSQL timeofday() function allows an attacker to retrieve portions of server memory, via crafted timezone zones.


 Symlink following in PostgreSQL pg_basebackup plain format and in pg_rewind allows an origin superuser to overwrite local files, e.g.
 /var/lib/postgres/.bashrc, that hijack the operating system account. It will remain the case that starting the server after these commands implicitly trusts the origin superuser, due to features like shared_preload_libraries. Hence, the attack has practical implications only if one takes relevant action between these commands and server start, like moving the files to a different VM or snapshotting the VM.


 SQL injection in PostgreSQL pg_createsubscriber allows an attacker with pg_create_subscription rights to execute arbitrary SQL as a superuser. The attack takes effect when pg_createsubscriber next runs. Versions before PostgreSQL 17 are unaffected.


 PostgreSQL libpq lo_* functions let server superuser overwrite client stack memory. Use of inherently dangerous function PQfn(..., result_is_int=0, ...) in PostgreSQL libpq lo_export(), lo_read(), lo_lseek64(), and lo_tell64() functions allows the server superuser to overwrite a client stack buffer with an arbitrarily-large response. Like gets(), PQfn(..., result_is_int=0, ...) stores arbitrary-length, server-determined data into a buffer of unspecified size. Because both the \lo_export command in psql and pg_dump call lo_read(), the server superuser can overwrite pg_dump or psql stack memory.


 PostgreSQL discloses MD5-hashed passwords via covert timing channel. Covert timing channel in comparison of MD5-hashed password in PostgreSQL authentication allows an attacker to recover user credentials sufficient to authenticate. This does not affect scram-sha-256 passwords, the default in all supported releases. However, current databases may have MD5-hashed passwords originating in upgrades from PostgreSQL 13 or earlier.


 PostgreSQL SSL/GSS init causes denial of service, via uncontrolled recursion. Uncontrolled recursion in PostgreSQL SSL and GSS negotiation allows an attacker able to connect to a PostgreSQL AF_UNIX socket to achieve sustained denial of service. If SSL and GSS are both disabled, an attacker can do the same via access to a PostgreSQL TCP socket.


 PostgreSQL pg_restore_attribute_stats accepts values that cause query planning to read past end of stats array. Buffer over-read in PostgreSQL function pg_restore_attribute_stats() accepts array values of unmatched length, which causes query planning to read past end of one array. This allows a table maintainer to infer memory values past that array end. Versions before PostgreSQL 18 are unaffected.


 PostgreSQL refint allows stack buffer overflow and SQL injection. Stack buffer overflow in PostgreSQL module refint allows an unprivileged database user to execute arbitrary code as the operating system user running the database. A distinct attack is possible if the application declares a user-controlled column as a refint cascade primary key and facilitates user-controlled updates to that column. In that case, a SQL injection allows a primary key update value provider to execute arbitrary SQL as the database user performing the primary key update.


 PostgreSQL REFRESH PUBLICATION allows SQL injection via table name. SQL injection in PostgreSQL logical replication ALTER SUBSCRIPTION ... REFRESH PUBLICATION allows a subscriber table creator to execute arbitrary SQL with the subscription's publication-side credentials. The attack takes effect at the next REFRESH PUBLICATION. Versions before PostgreSQL 16 are unaffected.


Tenable has extracted the preceding description block directly from the FreeBSD security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://www.postgresql.org/support/security/CVE-2026-6472/

https://www.postgresql.org/support/security/CVE-2026-6473/

https://www.postgresql.org/support/security/CVE-2026-6474/

https://www.postgresql.org/support/security/CVE-2026-6475/

https://www.postgresql.org/support/security/CVE-2026-6476/

https://www.postgresql.org/support/security/CVE-2026-6477/

https://www.postgresql.org/support/security/CVE-2026-6478/

https://www.postgresql.org/support/security/CVE-2026-6479/

https://www.postgresql.org/support/security/CVE-2026-6538/

https://www.postgresql.org/support/security/CVE-2026-6575/

https://www.postgresql.org/support/security/CVE-2026-6637/

http://www.nessus.org/u?3c0d74fe

Plugin Details

Severity: High

ID: 314914

File Name: freebsd_pkg_7185ecc94fb711f1bc506cc21735f730.nasl

Version: 1.1

Type: Local

Published: 5/15/2026

Updated: 5/15/2026

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: High

Score: 8.4

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS Score Source: CVE-2026-6538

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.9

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS Score Source: CVE-2026-6637

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:postgresql14-client, p-cpe:/a:freebsd:freebsd:postgresql17-client, p-cpe:/a:freebsd:freebsd:postgresql15-client, p-cpe:/a:freebsd:freebsd:postgresql16-client, p-cpe:/a:freebsd:freebsd:postgresql16-server, p-cpe:/a:freebsd:freebsd:postgresql18-client, p-cpe:/a:freebsd:freebsd:postgresql18-server, cpe:/o:freebsd:freebsd, p-cpe:/a:freebsd:freebsd:postgresql14-server, p-cpe:/a:freebsd:freebsd:postgresql17-server, p-cpe:/a:freebsd:freebsd:postgresql15-server

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 5/14/2026

Vulnerability Publication Date: 10/8/2024

Reference Information

CVE: CVE-2026-6472, CVE-2026-6473, CVE-2026-6474, CVE-2026-6475, CVE-2026-6476, CVE-2026-6477, CVE-2026-6478, CVE-2026-6479, CVE-2026-6538, CVE-2026-6575, CVE-2026-6637