CVE-2026-32286 PUBLISHED

Denial of service in github.com/jackc/pgproto3/v2

Assigner: Go
Reserved: 11.03.2026 Published: 26.03.2026 Updated: 26.03.2026

The DataRow.Decode function fails to properly validate field lengths. A malicious or compromised PostgreSQL server can send a DataRow message with a negative field length, causing a slice bounds out of range panic.

Product Status

Vendor	github.com/jackc/pgproto3/v2
Product	github.com/jackc/pgproto3/v2
Versions	Default: affected unaffected from 0 to 2.0.0 (excl.)

References

https://github.com/jackc/pgx/issues/2507
https://github.com/golang/vulndb/issues/4518
https://pkg.go.dev/vuln/GO-2026-4518

Problem Types

CWE-125: Out-of-bounds Read