On August 29th, 2023, the PostgreSQL Security Team ruled that CVE-2020-21469 is not a valid security vulnerability.

The CVE, originally discovered in PostgreSQL 12.2, purportedly allowed attackers to cause a Denial of Service (DoS) by repeatedly sending SIGHUP signals to the primary PostgreSQL process. In Linux environments, SIGHUP (Signal Hang Up) is typically used by daemons - such as web or database servers - to trigger a configuration file reload without stopping the process.

The security team disputed the vulnerability classification because the attack vector requires an account with explicitly granted elevated privileges. To execute this attack, a user must be:

• A PostgreSQL superuser

• A user explicitly granted permission to execute pg_reload_conf by a superuser

• An operating system user with privileged access to the server process

As noted by Eugene Lim in From Day Zero to Zero Day, if an attacker already possesses these privileges, they can compromise or halt the database using standard functionality without needing to exploit this specific “vulnerability”.

The PostgreSQL Security Team’s stance relies on the principle that superuser access implies total control. If a user can send process signals (like SIGHUP) or execute pg_reload_conf, they have administrative control. A DoS by an administrator is considered a configuration or personnel issue, not a software vulnerability.