CVE-2026-32286

Published: Mar 26, 2026

Modified: Apr 2, 2026

PUBLISHED

Description

The DataRow.Decode function fails to properly validate field lengths. A malicious or compromised PostgreSQL server can send a DataRow message with a negative field length, causing a slice bounds out of range panic.

Vendor	Product	Versions
github.com/jackc/pgproto3/v2	github.com/jackc/pgproto3/v2	unaffected `0 - < 2.0.0`

References

https://github.com/advisories/GHSA-jqcq-xjh3-6g23

https://github.com/jackc/pgx/issues/2507

https://github.com/golang/vulndb/issues/4518

https://pkg.go.dev/vuln/GO-2026-4518

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-32286

Description

Affected Products

References