Primary

Context

PostgreSQL Externally-Controlled Format String Vulnerability in timeofday() Function Allowing Memory Disclosure

Vulnerability

Patched

A vulnerability exists in the PostgreSQL timeofday() function, where an externally-controlled format string can be used to retrieve portions of server memory. This is achieved by crafting specific timezone zones. Affected versions include those prior to PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23.

Impact

Exploitation of this vulnerability could lead to unauthorized disclosure of server memory contents.

Remediation

Users can upgrade to PostgreSQL versions 18.4, 17.10, 16.14, 15.18, or 14.23 to address this vulnerability.

Added: May 14, 2026, 2:23 PM

Updated: May 14, 2026, 2:23 PM

Vulnerability Rating

Custom Algorithm

spread

8.1

impact

0.6

exploitability

4.9

remediation

7.7

relevance

8.3

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

8.1

impact

0.6

exploitability

4.9

remediation

7.7

relevance

8.3

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

PostgreSQL Externally-Controlled Format String Vulnerability in timeofday() Function Allowing Memory Disclosure

Vulnerability

Impact

Remediation

Affected Products

PostgreSQL

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating