CVE-2026-32286
Denial of service in github.com/jackc/pgproto3/v2
CVSS Score
7.5
EPSS Score
0.1%
EPSS Percentile
17th
The DataRow.Decode function fails to properly validate field lengths. A malicious or compromised PostgreSQL server can send a DataRow message with a negative field length, causing a slice bounds out of range panic.
| Vendor | github.com/jackc/pgproto3/v2 |
| Product | github.com/jackc/pgproto3/v2 |
| Published | Mar 26, 2026 |
| Last Updated | Apr 2, 2026 |
Stay Ahead of the Next One
Get instant alerts for github.com/jackc/pgproto3/v2 github.com/jackc/pgproto3/v2
Be the first to know when new high vulnerabilities affecting github.com/jackc/pgproto3/v2 github.com/jackc/pgproto3/v2 are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
github.com/jackc/pgproto3/v2 / github.com/jackc/pgproto3/v2
All versions affected References
github.com: https://github.com/advisories/GHSA-jqcq-xjh3-6g23 github.com: https://github.com/jackc/pgx/issues/2507 github.com: https://github.com/golang/vulndb/issues/4518 pkg.go.dev: https://pkg.go.dev/vuln/GO-2026-4518 securityinfinity.com: https://securityinfinity.com/research/memory-safety-vulnerabilities-in-go-postgresql-wire-protocol-parsers-pgproto3-pgx