Use of inherently dangerous function PQfn(..., result_is_int=0, ...) in PostgreSQL libpq lo_export(), lo_read(), lo_lseek64(), and lo_tell64() functions allows the server superuser to overwrite a client stack buffer with an arbitrarily-large response. Like gets(), PQfn(..., result_is_int=0, ...) stores arbitrary-length, server-determined data into a buffer of unspecified size. Because both the \lo_export command in psql and pg_dump call lo_read(), the server superuser can overwrite pg_dump or psql stack memory. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.
12.0-112.1-112.1-2build112.10-0ubuntu0.20.04.112.11-0ubuntu0.20.04.112.12-0ubuntu0.20.04.112.13-0ubuntu0.20.04.112.14-0ubuntu0.20.04.112.15-0ubuntu0.20.04.112.16-0ubuntu0.20.04.1+16 more14.23-0ubuntu0.22.04.116.14-0ubuntu0.24.04.117.10-0ubuntu0.25.10.118.4-0ubuntu0.26.04.19.3.1-19.3.10-0ubuntu0.14.049.3.11-0ubuntu0.14.049.3.12-0ubuntu0.14.049.3.13-0ubuntu0.14.049.3.14-0ubuntu0.14.049.3.15-0ubuntu0.14.049.3.16-0ubuntu0.14.049.3.17-0ubuntu0.14.049.3.18-0ubuntu0.14.04.1+19 more9.5.0-19.5.0-29.5.0-39.5.1-19.5.10-0ubuntu0.16.049.5.11-0ubuntu0.16.049.5.12-0ubuntu0.16.049.5.13-0ubuntu0.16.049.5.14-0ubuntu0.16.049.5.16-0ubuntu0.16.04.1+24 more10.1-110.1-210.10-0ubuntu0.18.04.110.12-0ubuntu0.18.04.110.14-0ubuntu0.18.04.110.15-0ubuntu0.18.04.110.16-0ubuntu0.18.04.110.17-0ubuntu0.18.04.110.18-0ubuntu0.18.04.110.19-0ubuntu0.18.04.1+16 moreExploitability
AV:NAC:LPR:NUI:RScope
S:UImpact
C:HI:HA:HCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H