Fix unbounded recursive handling of SSL/GSS in ProcessStartupPacket()

Michael Paquier

A malicious unauthenticated client could alternate rejected SSL and GSS negotiation requests indefinitely, each call adding a stack frame until the backend crashed with a stack overflow. The fix tracks negotiation attempts across calls to ProcessStartupPacket() so that repeated attempts are detected and refused early.

Fix SQL injection in logical replication origin checks

Noah Misch

ALTER SUBSCRIPTION ... REFRESH PUBLICATION interpolated schema and relation names into SQL without quoting, allowing a crafted subscriber-side relation name to inject arbitrary SQL executed on the publisher. Backpatched to v16 (CVE-2026-6638).

refint: Fix SQL injection and buffer overruns

Nathan Bossart

Maliciously crafted key values in check_foreign_key() could achieve SQL injection via unescaped interpolation in internally generated SQL statements. The fix applies proper quoting and replaces fixed-size stack buffers with StringInfo to simultaneously eliminate potential buffer overruns.

Prevent path traversal in pg_basebackup and pg_rewind

Michael Paquier

A rogue server endpoint could supply crafted paths through tar streaming in pg_basebackup (v15+) and through libpq file operations in pg_rewind to overwrite arbitrary files on the client machine. Path validation is now applied before any output path is constructed in both tools.

Apply timingsafe_bcmp() in authentication paths

Michael Paquier

Replaces memcmp() and strcmp() with timing-safe comparisons across SCRAM key, MD5 hash, RADIUS secret, and nonce comparison code paths in both backend and frontend. This closes side-channel timing attack vectors that could allow secret recovery from a remote network position.

Avoid passing unintended format codes to snprintf()

Tom Lane

timeofday() passed the output of pg_strftime() directly as a format string to a subsequent snprintf() call; a crafted time zone name containing % sequences could cause crashes or disclose server memory. Fixed by splitting the call and treating all pg_strftime() output as literal strings.

Make palloc_array() and friends safe against integer overflow

Tom Lane

Redefines the palloc_array() macro family to always check for overflow in the count × element_size multiplication, preventing the allocated chunk from being far smaller than what callers subsequently write into it. Primarily a risk on 32-bit builds (CVE-2026-6473).

Use palloc_array() in a few more places to avoid overflow

Heikki Linnakangas

Addresses additional call sites in the tree that could overflow on 32-bit systems when computing allocation sizes by hand. Backpatched through v14 as part of CVE-2026-6473.

Fix assorted places that need to use palloc_array()

Tom Lane

multirange_recv and BlockRefTableReaderNextRelation were performing handwritten count × size multiplications without overflow guards. On 32-bit systems this could produce undersized allocations and subsequent buffer overruns; both are now converted to palloc_array().

Prevent buffer overrun in unicode_normalize()

Tom Lane

Some UTF-8 characters decompose to more than a dozen codepoints, making it possible for an input string well under 1 GB to produce more than 4 billion decomposed codepoints, wrapping decomp_size to a small value and causing a small buffer allocation followed by an overrun. The fix checks for MaxAllocSize exhaustion after each addition and returns an error if exceeded.

Harden our regex engine against integer overflow in size calculations

Tom Lane

Products of NFA state counts, arc counts, and color counts in the regex engine could overflow on 32-bit builds, enabling buffer-overrun attacks. Array allocations in citerdissect() and creviterdissect() based on input length also received similar hardening.

Tom Lane

pg_locale_icu.c contained numerous sites where very long input strings could overflow buffer-size calculations, and used unaligned char[] arrays as UChar buffers, risking failure on alignment-strict platforms. Both classes of issue are resolved throughout the file.

Fix integer overflow in array_agg(), when the array grows too large

Heikki Linnakangas

Accumulating many NULL-filled arrays via array_agg() could overflow the nitems counter before hitting MaxAllocSize, resulting in a corrupted final array. An explicit bounds check against MaxArraySize is now performed eagerly. Backpatched through v14 (CVE-2026-6473).

Avoid overflow in size calculations in formatting.c

Nathan Bossart

Several functions in formatting.c multiplied potentially large integers without overflow guards before using the result as an allocation size. Harmless on 64-bit builds but exploitable on 32-bit systems; fixed with palloc_array() and mul_size().

Guard against overflow in "left" fields of query_int and ltxtquery

Tom Lane

The int16 field storing operator-node offsets in contrib/intarray's query_int type can overflow when the query tree is large enough, leading to stack corruption. Rather than cap total node count, the fix adds per-node checks that the offset fits in int16.

ltree: Fix overflows with lquery parsing

Michael Paquier

Two overflow paths in the contrib/ltree lquery parser: a uint16 total-length field that could wrap on levels with many long OR-separated variants, and a similar overflow in per-level variant counting. Either could corrupt written data and cause a crash.

Fix overflows with ts_headline()

Michael Paquier

The StartSel, StopSel, and FragmentDelimiter option values in ts_headline() were stored as int16; passing values longer than PG_INT16_MAX silently overflowed, causing incorrect behavior or crashes in generateHeadline(). Oversized values are now rejected outright.

Guard against unsafe conditions in usage of pg_strftime()

Tom Lane

No callers of pg_strftime() checked its error return, risking use of a non-null-terminated buffer on error. The function's contract is now strengthened to guarantee a null-terminated result whenever maxsize > 0, returning an empty string on error rather than an indeterminate buffer.

Mark PQfn() unsafe and fix overrun in frontend LO interface

Nathan Bossart

When result_is_int is 0, PQfn() cannot validate that the server's response fits in result_buf, so an oversized reply silently overwrites adjacent memory. The frontend large object interface — the only in-tree caller — is fixed with an explicit buf_size parameter; PQfn() itself is now documented as unsafe and obsolete.

Check CREATE privilege on multirange type schema in CREATE TYPE

Nathan Bossart

DefineRange() omitted a schema CREATE privilege check for the automatically generated multirange type, allowing any role to place types in schemas they should not have access to. The missing check is now enforced, closing the potential privilege escalation path.

pg_createsubscriber: Obstruct SQL injection via subscription names

Nathan Bossart

drop_existing_subscription() built ALTER SUBSCRIPTION and DROP SUBSCRIPTION queries using raw, unescaped subscription names. Fixed by applying PQescapeIdentifier() throughout. Backpatched to v17 (CVE-2026-6476).

Fix MCV input array checks in statistics restore functions

Michael Paquier

Statistics restore functions accepted most_common_vals and most_common_freqs arrays of mismatched lengths and non-unit dimensionality; the planner assumed they match, so catalog corruption of this kind could trigger an over-read. Both invariants are now validated on input.

Fix REPACK with WITHOUT OVERLAPS replica identity indexes

Álvaro Herrera

REPACK replay hard-coded BTEqualStrategyNumber when resolving equality operators for replica identity indexes, which is incorrect for GiST-based indexes created by WITHOUT OVERLAPS primary keys. A second bug caused find_target_tuple() to accept false positives from lossy index scans due to missing xs_recheck handling.

Remove test cases for field overflows in intarray and ltree

Tom Lane

Stack overflow errors rather than the expected application errors are being reported on ppc64 and s390x buildfarm members for these tests; they are temporarily reverted across all branches (v14+) pending investigation after the release dust settles.

pg_upgrade: Message improvements

Peter Eisentraut

Minor message text improvements in the pg_upgrade tool.

doc PG 19 relnotes: adjustments/removal of items

Bruce MomjianDiscussion: CANWCAZZWfd…

Adjustments and removal of items in the PostgreSQL 19 release notes based on feedback from John Naylor.

HN News

Tracing PostgreSQL Using eBPF and Hardware Breakpoints

Score: 3 / Comments: 0

A detailed walkthrough of using eBPF probes combined with hardware debug breakpoints to trace PostgreSQL internals on a live instance without recompilation or source patches. The technique enables inspection of query execution paths and internal data structures in production without restarts.

Show HN: PgQueuer v1.0 – Python job queue using only PostgreSQL

Score: 2 / Comments: 0

PgQueuer reaches its 1.0 milestone as a pure-PostgreSQL-backed job queue for Python, relying on LISTEN/NOTIFY, advisory locks, and FOR UPDATE SKIP LOCKED to avoid any additional infrastructure dependencies.

Summary

May 11, 2026 was a major security patch day for PostgreSQL, with the overwhelming majority of commits addressing vulnerabilities across three CVEs: widespread integer overflow hardening under CVE-2026-6473, SQL injection in pg_createsubscriber (CVE-2026-6476), and SQL injection in logical replication's ALTER SUBSCRIPTION ... REFRESH PUBLICATION (CVE-2026-6638). The most operationally urgent fix is the unauthenticated server-crash via unbounded SSL/GSS negotiation recursion, which affects all supported branches and requires no credentials to exploit. Community activity outside the release was minimal, with a technically noteworthy eBPF tracing post and the 1.0 launch of the PgQueuer Python library drawing only modest Hacker News attention.

This digest was generated by claude based on Hacker News, GitHub, and the PostgreSQL mailing list.