{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32286", "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "state": "PUBLISHED", "assignerShortName": "Go", "dateReserved": "2026-03-11T16:38:46.556Z", "datePublished": "2026-03-26T19:40:51.974Z", "dateUpdated": "2026-03-26T19:40:51.974Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "shortName": "Go", "dateUpdated": "2026-03-26T19:40:51.974Z"}, "title": "Denial of service in github.com/jackc/pgproto3/v2", "descriptions": [{"lang": "en", "value": "The DataRow.Decode function fails to properly validate field lengths. A malicious or compromised PostgreSQL server can send a DataRow message with a negative field length, causing a slice bounds out of range panic."}], "affected": [{"vendor": "github.com/jackc/pgproto3/v2", "product": "github.com/jackc/pgproto3/v2", "collectionURL": "https://pkg.go.dev", "packageName": "github.com/jackc/pgproto3/v2", "versions": [{"version": "0", "lessThan": "2.0.0", "status": "unaffected", "versionType": "semver"}], "programRoutines": [{"name": "DataRow.Decode"}, {"name": "Frontend.Receive"}], "defaultStatus": "affected"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-125: Out-of-bounds Read"}]}], "references": [{"url": "https://github.com/jackc/pgx/issues/2507"}, {"url": "https://github.com/golang/vulndb/issues/4518"}, {"url": "https://pkg.go.dev/vuln/GO-2026-4518"}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The DataRow.Decode function fails to properly validate field lengths. A malicious or compromised PostgreSQL server can send a DataRow message with a negative field length, causing a slice bounds out of range panic."}], "id": "CVE-2026-32286", "lastModified": "2026-03-26T20:16:12.303", "metrics": {}, "published": "2026-03-26T20:16:12.303", "references": [{"source": "[email protected]", "url": "https://github.com/golang/vulndb/issues/4518"}, {"source": "[email protected]", "url": "https://github.com/jackc/pgx/issues/2507"}, {"source": "[email protected]", "url": "https://pkg.go.dev/vuln/GO-2026-4518"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Received"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,2.0.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "github.com/jackc/pgproto3/v2", "source": "cna", "vendor": "github.com/jackc/pgproto3/v2"}, "product": "pgproto3", "vendor": "jackc"}], "analysis": {"en": {"generated_at": "2026-03-27T11:35:48.459880+00:00", "value": {"mitigation_remediation": ["Upgrade github.com/jackc/pgproto3/v2 to the latest release that contains the patch. The library\u2019s repository notes the fix in the most recent commit and release. ", "If an immediate upgrade is not possible, isolate the database connection behind a firewall or network segment to limit exposure to untrusted PostgreSQL servers. Monitor for panic or crash events and implement health\u2011check or restart mechanisms to mitigate downtime."], "summary": {"action": "Patch Immediately", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "Any Go application that imports the github.com/jackc/pgproto3/v2 package is potentially affected. All released versions released prior to the corrective commit should be considered vulnerable until an updated release is applied. Refer to the linked GitHub issues and the library\u2019s release notes for the exact commit that implements the fix.", "description_and_impact": "DataRow.Decode in the github.com/jackc/pgproto3/v2 library improperly validates the length of fields in a PostgreSQL DataRow message. When a DataRow message contains a negative field length, the function triggers a slice bounds out of range panic that crashes the receiving application. This flaw is a classic improper input validation error as identified by CWE\u201120 and results in an application crash, effectively denying service to legitimate users.", "risk_and_exploitability": "The public data does not provide a CVSS or EPSS score and the vulnerability is not listed in the CISA KEV catalog, indicating a moderate level of exploitation pressure. The most likely attack vector involves a malicious or compromised PostgreSQL server sending a crafted DataRow message with a negative field length to a client application using this library. Exploitation requires network access to the application or control over the database server, and the impact is a loss of application availability, which can be critical for production services."}}}}, "created": "2026-03-27T08:32:24.696744+00:00", "updated": "2026-03-27T15:47:30.060265+00:00", "vendors": ["jackc", "jackc$PRODUCT$pgproto3"]}