PostgreSQL 9.x — End of Life

EOL High risk

EOL: Nov 11, 20217 releases in this series56 CVEs

PostgreSQL 9.x — All releases

Version	Released	Active support	EOL date	Latest patch	Status
9.6	Sep 29, 2016	—	Nov 11, 2021	9.6.24	EOL
9.5	Jan 7, 2016	—	Feb 11, 2021	9.5.25	EOL
9.4	Dec 18, 2014	—	Feb 13, 2020	9.4.26	EOL
9.3	Sep 9, 2013	—	Nov 8, 2018	9.3.25	EOL
9.2	Sep 10, 2012	—	Nov 9, 2017	9.2.24	EOL
9.1	Sep 12, 2011	—	Oct 27, 2016	9.1.24	EOL
9.0	Sep 20, 2010	—	Oct 8, 2015	9.0.23	EOL

CVEs affecting PostgreSQL 9.x (56)

CVE	Severity	CVSS	EPSS	KEV	Cycle	Description	Published
CVE-2026-6477	HIGH	8.8	0.05%	—	9.0	Use of inherently dangerous function PQfn(..., result_is_int=0, ...) in PostgreSQL libpq lo_export(), lo_read(), lo_lsee…	May 14, 2026
CVE-2026-6637	HIGH	8.8	0.04%	—	9.1	Stack buffer overflow in PostgreSQL module "refint" allows an unprivileged database user to execute arbitrary code as th…	May 14, 2026
CVE-2026-6637	HIGH	8.8	0.04%	—	9.2	Stack buffer overflow in PostgreSQL module "refint" allows an unprivileged database user to execute arbitrary code as th…	May 14, 2026
CVE-2026-6637	HIGH	8.8	0.04%	—	9.3	Stack buffer overflow in PostgreSQL module "refint" allows an unprivileged database user to execute arbitrary code as th…	May 14, 2026
CVE-2026-6637	HIGH	8.8	0.04%	—	9.4	Stack buffer overflow in PostgreSQL module "refint" allows an unprivileged database user to execute arbitrary code as th…	May 14, 2026
CVE-2026-6637	HIGH	8.8	0.04%	—	9.5	Stack buffer overflow in PostgreSQL module "refint" allows an unprivileged database user to execute arbitrary code as th…	May 14, 2026
CVE-2026-6637	HIGH	8.8	0.04%	—	9.6	Stack buffer overflow in PostgreSQL module "refint" allows an unprivileged database user to execute arbitrary code as th…	May 14, 2026
CVE-2026-6637	HIGH	8.8	0.04%	—	9.0	Stack buffer overflow in PostgreSQL module "refint" allows an unprivileged database user to execute arbitrary code as th…	May 14, 2026
CVE-2026-6473	HIGH	8.8	0.07%	—	9.0	Integer wraparound in multiple PostgreSQL server features allows an unprivileged database user to cause the server to un…	May 14, 2026
CVE-2026-6473	HIGH	8.8	0.07%	—	9.6	Integer wraparound in multiple PostgreSQL server features allows an unprivileged database user to cause the server to un…	May 14, 2026
CVE-2026-6477	HIGH	8.8	0.05%	—	9.1	Use of inherently dangerous function PQfn(..., result_is_int=0, ...) in PostgreSQL libpq lo_export(), lo_read(), lo_lsee…	May 14, 2026
CVE-2026-6473	HIGH	8.8	0.07%	—	9.5	Integer wraparound in multiple PostgreSQL server features allows an unprivileged database user to cause the server to un…	May 14, 2026
CVE-2026-6473	HIGH	8.8	0.07%	—	9.4	Integer wraparound in multiple PostgreSQL server features allows an unprivileged database user to cause the server to un…	May 14, 2026
CVE-2026-6473	HIGH	8.8	0.07%	—	9.3	Integer wraparound in multiple PostgreSQL server features allows an unprivileged database user to cause the server to un…	May 14, 2026
CVE-2026-6473	HIGH	8.8	0.07%	—	9.2	Integer wraparound in multiple PostgreSQL server features allows an unprivileged database user to cause the server to un…	May 14, 2026
CVE-2026-6473	HIGH	8.8	0.07%	—	9.1	Integer wraparound in multiple PostgreSQL server features allows an unprivileged database user to cause the server to un…	May 14, 2026
CVE-2026-6477	HIGH	8.8	0.05%	—	9.2	Use of inherently dangerous function PQfn(..., result_is_int=0, ...) in PostgreSQL libpq lo_export(), lo_read(), lo_lsee…	May 14, 2026
CVE-2026-6477	HIGH	8.8	0.05%	—	9.3	Use of inherently dangerous function PQfn(..., result_is_int=0, ...) in PostgreSQL libpq lo_export(), lo_read(), lo_lsee…	May 14, 2026
CVE-2026-6477	HIGH	8.8	0.05%	—	9.4	Use of inherently dangerous function PQfn(..., result_is_int=0, ...) in PostgreSQL libpq lo_export(), lo_read(), lo_lsee…	May 14, 2026
CVE-2026-6477	HIGH	8.8	0.05%	—	9.5	Use of inherently dangerous function PQfn(..., result_is_int=0, ...) in PostgreSQL libpq lo_export(), lo_read(), lo_lsee…	May 14, 2026
CVE-2026-6477	HIGH	8.8	0.05%	—	9.6	Use of inherently dangerous function PQfn(..., result_is_int=0, ...) in PostgreSQL libpq lo_export(), lo_read(), lo_lsee…	May 14, 2026
CVE-2026-6475	HIGH	8.8	0.05%	—	9.0	Symlink following in PostgreSQL pg_basebackup plain format and in pg_rewind allows an origin superuser to overwrite loca…	May 14, 2026
CVE-2026-6475	HIGH	8.8	0.05%	—	9.6	Symlink following in PostgreSQL pg_basebackup plain format and in pg_rewind allows an origin superuser to overwrite loca…	May 14, 2026
CVE-2026-6475	HIGH	8.8	0.05%	—	9.5	Symlink following in PostgreSQL pg_basebackup plain format and in pg_rewind allows an origin superuser to overwrite loca…	May 14, 2026
CVE-2026-6475	HIGH	8.8	0.05%	—	9.4	Symlink following in PostgreSQL pg_basebackup plain format and in pg_rewind allows an origin superuser to overwrite loca…	May 14, 2026
CVE-2026-6475	HIGH	8.8	0.05%	—	9.3	Symlink following in PostgreSQL pg_basebackup plain format and in pg_rewind allows an origin superuser to overwrite loca…	May 14, 2026
CVE-2026-6475	HIGH	8.8	0.05%	—	9.2	Symlink following in PostgreSQL pg_basebackup plain format and in pg_rewind allows an origin superuser to overwrite loca…	May 14, 2026
CVE-2026-6475	HIGH	8.8	0.05%	—	9.1	Symlink following in PostgreSQL pg_basebackup plain format and in pg_rewind allows an origin superuser to overwrite loca…	May 14, 2026
CVE-2026-6479	HIGH	7.5	0.02%	—	9.1	Uncontrolled recursion in PostgreSQL SSL and GSS negotiation allows an attacker able to connect to a PostgreSQL AF_UNIX …	May 14, 2026
CVE-2026-6479	HIGH	7.5	0.02%	—	9.0	Uncontrolled recursion in PostgreSQL SSL and GSS negotiation allows an attacker able to connect to a PostgreSQL AF_UNIX …	May 14, 2026
CVE-2026-6479	HIGH	7.5	0.02%	—	9.6	Uncontrolled recursion in PostgreSQL SSL and GSS negotiation allows an attacker able to connect to a PostgreSQL AF_UNIX …	May 14, 2026
CVE-2026-6479	HIGH	7.5	0.02%	—	9.5	Uncontrolled recursion in PostgreSQL SSL and GSS negotiation allows an attacker able to connect to a PostgreSQL AF_UNIX …	May 14, 2026
CVE-2026-6479	HIGH	7.5	0.02%	—	9.4	Uncontrolled recursion in PostgreSQL SSL and GSS negotiation allows an attacker able to connect to a PostgreSQL AF_UNIX …	May 14, 2026
CVE-2026-6479	HIGH	7.5	0.02%	—	9.3	Uncontrolled recursion in PostgreSQL SSL and GSS negotiation allows an attacker able to connect to a PostgreSQL AF_UNIX …	May 14, 2026
CVE-2026-6479	HIGH	7.5	0.02%	—	9.2	Uncontrolled recursion in PostgreSQL SSL and GSS negotiation allows an attacker able to connect to a PostgreSQL AF_UNIX …	May 14, 2026
CVE-2026-6478	MEDIUM	6.5	0.08%	—	9.0	Covert timing channel in comparison of MD5-hashed password in PostgreSQL authentication allows an attacker to recover us…	May 14, 2026
CVE-2026-6478	MEDIUM	6.5	0.08%	—	9.6	Covert timing channel in comparison of MD5-hashed password in PostgreSQL authentication allows an attacker to recover us…	May 14, 2026
CVE-2026-6478	MEDIUM	6.5	0.08%	—	9.5	Covert timing channel in comparison of MD5-hashed password in PostgreSQL authentication allows an attacker to recover us…	May 14, 2026
CVE-2026-6478	MEDIUM	6.5	0.08%	—	9.4	Covert timing channel in comparison of MD5-hashed password in PostgreSQL authentication allows an attacker to recover us…	May 14, 2026
CVE-2026-6478	MEDIUM	6.5	0.08%	—	9.3	Covert timing channel in comparison of MD5-hashed password in PostgreSQL authentication allows an attacker to recover us…	May 14, 2026
CVE-2026-6478	MEDIUM	6.5	0.08%	—	9.2	Covert timing channel in comparison of MD5-hashed password in PostgreSQL authentication allows an attacker to recover us…	May 14, 2026
CVE-2026-6478	MEDIUM	6.5	0.08%	—	9.1	Covert timing channel in comparison of MD5-hashed password in PostgreSQL authentication allows an attacker to recover us…	May 14, 2026
CVE-2026-6472	MEDIUM	5.4	0.03%	—	9.1	Missing authorization in PostgreSQL CREATE TYPE allows an object creator to hijack other queries that use search_path to…	May 14, 2026
CVE-2026-6472	MEDIUM	5.4	0.03%	—	9.2	Missing authorization in PostgreSQL CREATE TYPE allows an object creator to hijack other queries that use search_path to…	May 14, 2026
CVE-2026-6472	MEDIUM	5.4	0.03%	—	9.3	Missing authorization in PostgreSQL CREATE TYPE allows an object creator to hijack other queries that use search_path to…	May 14, 2026
CVE-2026-6472	MEDIUM	5.4	0.03%	—	9.5	Missing authorization in PostgreSQL CREATE TYPE allows an object creator to hijack other queries that use search_path to…	May 14, 2026
CVE-2026-6472	MEDIUM	5.4	0.03%	—	9.6	Missing authorization in PostgreSQL CREATE TYPE allows an object creator to hijack other queries that use search_path to…	May 14, 2026
CVE-2026-6472	MEDIUM	5.4	0.03%	—	9.0	Missing authorization in PostgreSQL CREATE TYPE allows an object creator to hijack other queries that use search_path to…	May 14, 2026
CVE-2026-6472	MEDIUM	5.4	0.03%	—	9.4	Missing authorization in PostgreSQL CREATE TYPE allows an object creator to hijack other queries that use search_path to…	May 14, 2026
CVE-2026-6474	MEDIUM	4.3	0.03%	—	9.5	Externally-controlled format string in PostgreSQL timeofday() function allows an attacker to retrieve portions of server…	May 14, 2026
CVE-2026-6474	MEDIUM	4.3	0.03%	—	9.1	Externally-controlled format string in PostgreSQL timeofday() function allows an attacker to retrieve portions of server…	May 14, 2026
CVE-2026-6474	MEDIUM	4.3	0.03%	—	9.2	Externally-controlled format string in PostgreSQL timeofday() function allows an attacker to retrieve portions of server…	May 14, 2026
CVE-2026-6474	MEDIUM	4.3	0.03%	—	9.6	Externally-controlled format string in PostgreSQL timeofday() function allows an attacker to retrieve portions of server…	May 14, 2026
CVE-2026-6474	MEDIUM	4.3	0.03%	—	9.0	Externally-controlled format string in PostgreSQL timeofday() function allows an attacker to retrieve portions of server…	May 14, 2026
CVE-2026-6474	MEDIUM	4.3	0.03%	—	9.3	Externally-controlled format string in PostgreSQL timeofday() function allows an attacker to retrieve portions of server…	May 14, 2026
CVE-2026-6474	MEDIUM	4.3	0.03%	—	9.4	Externally-controlled format string in PostgreSQL timeofday() function allows an attacker to retrieve portions of server…	May 14, 2026

PostgreSQL 9.x is EOL — migrate to PostgreSQL 10.x

PostgreSQL 10.x is the next major release. Plan your upgrade before PostgreSQL 9.x stops receiving security patches.

See PostgreSQL 10.x

Frequently asked questions

Is PostgreSQL 9 end of life?

Yes. All PostgreSQL 9.x releases have reached end of life and no longer receive security patches. There are 56 known CVEs affecting PostgreSQL 9.x. Migrate to PostgreSQL 10.x as soon as possible.

What CVEs affect PostgreSQL 9?

There are 56 CVEs tracked for PostgreSQL 9.x. See the full list above with CVSS and EPSS scores.

What is the latest PostgreSQL 9 version?

The latest PostgreSQL 9.x patch release is 9.6.24, released on November 8, 2021. Always run the latest patch to benefit from all security fixes.

How to migrate from PostgreSQL 9 to PostgreSQL 10?

To migrate from PostgreSQL 9 to PostgreSQL 10: (1) review the official PostgreSQL 10 migration guide for breaking changes, (2) update dependencies and configuration accordingly, (3) test thoroughly in a staging environment, (4) deploy with a rollback plan. Starting early gives you time to resolve compatibility issues before your current version reaches end of life.

Is it safe to run PostgreSQL 9 in production?

No. PostgreSQL 9 has reached end of life and security vulnerabilities are no longer patched. Upgrade to a supported version immediately.

Data sourced from endoflife.date · CVE data from NVD · EPSS from FIRST.org · KEV from CISA