PostgreSQL Ships Security Updates Across Supported Versions
The PostgreSQL Global Development Group released PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 on May 14, 2026. The cumulative minor updates fix 11 security vulnerabilities and more than 60 bugs. One of those issues, CVE-2026-6474, is specifically relevant to timestamp and timezone handling because it affects the core server's historical timeofday() function.
timeofday() Is a Historical Text-Formatting Function
PostgreSQL documents timeofday() as a historical function that returns the actual current time, like clock_timestamp(), but formats the result as a text string instead of returning a timestamp with time zone value. That makes it different from transaction_timestamp() and now(), which represent the start time of the current transaction. It is also different from to_timestamp(), which PostgreSQL documents as the conversion from Unix epoch seconds to a timestamp with time zone value.
Crafted Timezone Zones Could Expose Server Memory
The PostgreSQL security advisory says an externally controlled format string in timeofday() could allow an attacker to retrieve portions of server memory through crafted timezone zones. The project classifies CVE-2026-6474 as a core-server issue with a CVSS 3.1 base score of 4.3. PostgreSQL lists every supported major line from 14 through 18 as affected before the May 14 fixes.
Timezone Handling Remains a Database Boundary
PostgreSQL's date-time documentation says timezone-aware dates and times are stored internally in UTC and converted to local time for display using the TimeZone configuration parameter. It also recognizes full IANA timezone names such as America/New_York. The same May security release updates PostgreSQL's bundled timezone files to tzdata 2026b for British Columbia's year-round UTC-07 rule and Moldova's historical correction, so database upgrades can carry both code fixes and timezone-data changes.
What PostgreSQL Operators Should Do
Upgrade supported PostgreSQL installations to 18.4, 17.10, 16.14, 15.18, or 14.23 as appropriate. PostgreSQL says these minor releases are cumulative and do not require a dump and reload or pg_upgrade; operators can stop PostgreSQL and update its binaries. Reviewing application and monitoring code that calls timeofday() is useful, but replacing or avoiding the function is not a substitute for applying the fixed server release. Keep timezone data current as well, especially for systems that schedule future local times.