{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32286", "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "state": "PUBLISHED", "assignerShortName": "Go", "dateReserved": "2026-03-11T16:38:46.556Z", "datePublished": "2026-03-26T19:40:51.974Z", "dateUpdated": "2026-04-02T19:08:53.981Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "shortName": "Go", "dateUpdated": "2026-04-02T19:08:53.981Z"}, "title": "Denial of service in github.com/jackc/pgproto3/v2", "descriptions": [{"lang": "en", "value": "The DataRow.Decode function fails to properly validate field lengths. A malicious or compromised PostgreSQL server can send a DataRow message with a negative field length, causing a slice bounds out of range panic."}], "affected": [{"vendor": "github.com/jackc/pgproto3/v2", "product": "github.com/jackc/pgproto3/v2", "collectionURL": "https://pkg.go.dev", "packageName": "github.com/jackc/pgproto3/v2", "versions": [{"version": "0", "lessThan": "2.0.0", "status": "unaffected", "versionType": "semver"}], "programRoutines": [{"name": "DataRow.Decode"}, {"name": "Frontend.Receive"}], "defaultStatus": "affected"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-125: Out-of-bounds Read"}]}], "references": [{"url": "https://github.com/advisories/GHSA-jqcq-xjh3-6g23"}, {"url": "https://github.com/jackc/pgx/issues/2507"}, {"url": "https://github.com/golang/vulndb/issues/4518"}, {"url": "https://pkg.go.dev/vuln/GO-2026-4518"}]}, "adp": [{"references": [{"url": "https://securityinfinity.com/research/memory-safety-vulnerabilities-in-go-postgresql-wire-protocol-parsers-pgproto3-pgx", "tags": ["exploit"]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-30T14:08:15.986882Z", "id": "CVE-2026-32286", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T14:55:11.942Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-32286", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-30T14:08:15.986882Z"}}}], "references": [{"url": "https://securityinfinity.com/research/memory-safety-vulnerabilities-in-go-postgresql-wire-protocol-parsers-pgproto3-pgx", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T14:08:56.643Z"}}], "cna": {"title": "Denial of service in github.com/jackc/pgproto3/v2", "affected": [{"vendor": "github.com/jackc/pgproto3/v2", "product": "github.com/jackc/pgproto3/v2", "versions": [{"status": "unaffected", "version": "0", "lessThan": "2.0.0", "versionType": "semver"}], "packageName": "github.com/jackc/pgproto3/v2", "collectionURL": "https://pkg.go.dev", "defaultStatus": "affected", "programRoutines": [{"name": "DataRow.Decode"}, {"name": "Frontend.Receive"}]}], "references": [{"url": "https://github.com/advisories/GHSA-jqcq-xjh3-6g23"}, {"url": "https://github.com/jackc/pgx/issues/2507"}, {"url": "https://github.com/golang/vulndb/issues/4518"}, {"url": "https://pkg.go.dev/vuln/GO-2026-4518"}], "descriptions": [{"lang": "en", "value": "The DataRow.Decode function fails to properly validate field lengths. A malicious or compromised PostgreSQL server can send a DataRow message with a negative field length, causing a slice bounds out of range panic."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-125: Out-of-bounds Read"}]}], "providerMetadata": {"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "shortName": "Go", "dateUpdated": "2026-04-02T19:08:53.981Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32286", "state": "PUBLISHED", "dateUpdated": "2026-04-02T19:08:53.981Z", "dateReserved": "2026-03-11T16:38:46.556Z", "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "datePublished": "2026-03-26T19:40:51.974Z", "assignerShortName": "Go"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The DataRow.Decode function fails to properly validate field lengths. A malicious or compromised PostgreSQL server can send a DataRow message with a negative field length, causing a slice bounds out of range panic."}, {"lang": "es", "value": "La funci\u00f3n DataRow.Decode no valida correctamente las longitudes de los campos. Un servidor PostgreSQL malicioso o comprometido puede enviar un mensaje DataRow con una longitud de campo negativa, causando un p\u00e1nico de desbordamiento de l\u00edmites de slice."}], "id": "CVE-2026-32286", "lastModified": "2026-04-02T20:16:23.443", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-26T20:16:12.303", "references": [{"source": "security@golang.org", "url": "https://github.com/advisories/GHSA-jqcq-xjh3-6g23"}, {"source": "security@golang.org", "url": "https://github.com/golang/vulndb/issues/4518"}, {"source": "security@golang.org", "url": "https://github.com/jackc/pgx/issues/2507"}, {"source": "security@golang.org", "url": "https://pkg.go.dev/vuln/GO-2026-4518"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://securityinfinity.com/research/memory-safety-vulnerabilities-in-go-postgresql-wire-protocol-parsers-pgproto3-pgx"}], "sourceIdentifier": "security@golang.org", "vulnStatus": "Undergoing Analysis"}

{"bugzilla": {"description": "github.com/jackc/pgproto3/v2: github.com/jackc/pgproto3/v2: Denial of Service via malicious PostgreSQL server", "id": "2451847", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451847"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-1285", "details": ["The DataRow.Decode function fails to properly validate field lengths. A malicious or compromised PostgreSQL server can send a DataRow message with a negative field length, causing a slice bounds out of range panic.", "A flaw was found in the DataRow.Decode function within the github.com/jackc/pgproto3/v2 component. A malicious or compromised PostgreSQL server can exploit this by sending a DataRow message containing a negative field length. This improper validation of field lengths leads to a \"slice bounds out of range panic\", resulting in a Denial of Service (DoS) for the affected application."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-32286", "package_state": [{"cpe": "cpe:/a:redhat:assisted_installer:2", "fix_state": "Affected", "package_name": "rhai/assisted-installer-controller-rhel9", "product_name": "Assisted Installer for Red Hat OpenShift Container Platform 2"}, {"cpe": "cpe:/a:redhat:assisted_installer:2", "fix_state": "Affected", "package_name": "rhai/assisted-installer-rhel9", "product_name": "Assisted Installer for Red Hat OpenShift Container Platform 2"}, {"cpe": "cpe:/a:redhat:multicluster_engine", "fix_state": "Affected", "package_name": "multicluster-engine/assisted-installer-agent-rhel8", "product_name": "Multicluster Engine for Kubernetes"}, {"cpe": "cpe:/a:redhat:multicluster_engine", "fix_state": "Affected", "package_name": "multicluster-engine/assisted-installer-agent-rhel9", "product_name": "Multicluster Engine for Kubernetes"}, {"cpe": "cpe:/a:redhat:multicluster_engine", "fix_state": "Affected", "package_name": "multicluster-engine/assisted-installer-controller-rhel8", "product_name": "Multicluster Engine for Kubernetes"}, {"cpe": "cpe:/a:redhat:multicluster_engine", "fix_state": "Affected", "package_name": "multicluster-engine/assisted-installer-controller-rhel9", "product_name": "Multicluster Engine for Kubernetes"}, {"cpe": "cpe:/a:redhat:multicluster_engine", "fix_state": "Affected", "package_name": "multicluster-engine/assisted-installer-rhel8", "product_name": "Multicluster Engine for Kubernetes"}, {"cpe": "cpe:/a:redhat:multicluster_engine", "fix_state": "Affected", "package_name": "multicluster-engine/assisted-installer-rhel9", "product_name": "Multicluster Engine for Kubernetes"}, {"cpe": "cpe:/a:redhat:multicluster_engine", "fix_state": "Affected", "package_name": "multicluster-engine/assisted-service-8-rhel8", "product_name": "Multicluster Engine for Kubernetes"}, {"cpe": "cpe:/a:redhat:multicluster_engine", "fix_state": "Affected", "package_name": "multicluster-engine/assisted-service-9-rhel9", "product_name": "Multicluster Engine for Kubernetes"}, {"cpe": "cpe:/a:redhat:multicluster_engine", "fix_state": "Affected", "package_name": "multicluster-engine/cluster-api-provider-aws-rhel9", "product_name": "Multicluster Engine for Kubernetes"}, {"cpe": "cpe:/a:redhat:multicluster_globalhub", "fix_state": "Affected", "package_name": "multicluster-globalhub/multicluster-globalhub-agent-rhel9", "product_name": "Multicluster Global Hub"}, {"cpe": "cpe:/a:redhat:multicluster_globalhub", "fix_state": "Affected", "package_name": "multicluster-globalhub/multicluster-globalhub-grafana-rhel9", "product_name": "Multicluster Global Hub"}, {"cpe": "cpe:/a:redhat:multicluster_globalhub", "fix_state": "Affected", "package_name": "multicluster-globalhub/multicluster-globalhub-manager-rhel9", "product_name": "Multicluster Global Hub"}, {"cpe": "cpe:/a:redhat:multicluster_globalhub", "fix_state": "Affected", "package_name": "multicluster-globalhub/multicluster-globalhub-operator-bundle", "product_name": "Multicluster Global Hub"}, {"cpe": "cpe:/a:redhat:multicluster_globalhub", "fix_state": "Affected", "package_name": "multicluster-globalhub/multicluster-globalhub-rhel9-operator", "product_name": "Multicluster Global Hub"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Affected", "package_name": "rhacm2/acm-search-indexer-rhel9", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Affected", "package_name": "rhacm2/acm-search-v2-api-rhel9", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:4", "fix_state": "Affected", "package_name": "advanced-cluster-security/rhacs-main-rhel8", "product_name": "Red Hat Advanced Cluster Security 4"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:4", "fix_state": "Affected", "package_name": "advanced-cluster-security/rhacs-rhel8-operator", "product_name": "Red Hat Advanced Cluster Security 4"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:4", "fix_state": "Affected", "package_name": "advanced-cluster-security/rhacs-roxctl-rhel8", "product_name": "Red Hat Advanced Cluster Security 4"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:4", "fix_state": "Affected", "package_name": "advanced-cluster-security/rhacs-scanner-v4-rhel8", "product_name": "Red Hat Advanced Cluster Security 4"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "osbuild-composer", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "osbuild-composer", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "osbuild-composer", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-data-science-pipelines-argo-argoexec-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-data-science-pipelines-argo-workflowcontroller-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Not affected", "package_name": "rhoai/odh-model-registry-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_cluster_manager_cli:1", "fix_state": "Affected", "package_name": "ocm-cli-clients/ocm-cli-rhel9", "product_name": "Red Hat OpenShift Cluster Manager CLI"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "openshift4/oc-mirror-plugin-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "openshift4/ose-agent-installer-api-server-rhel8", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "openshift4/ose-agent-installer-api-server-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "openshift4/ose-agent-installer-csr-approver-rhel8", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "openshift4/ose-agent-installer-csr-approver-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "openshift4/ose-agent-installer-node-agent-rhel8", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "openshift4/ose-agent-installer-node-agent-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "openshift4/ose-agent-installer-orchestrator-rhel8", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "openshift4/ose-agent-installer-orchestrator-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "openshift4/ose-aws-cluster-api-controllers-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift_service_on_aws:1", "fix_state": "Affected", "package_name": "rosa", "product_name": "Red Hat OpenShift on AWS"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Affected", "package_name": "quay/clair-rhel8", "product_name": "Red Hat Quay 3"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Affected", "package_name": "quay/clair-rhel9", "product_name": "Red Hat Quay 3"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Affected", "package_name": "quay/quay-operator-rhel8", "product_name": "Red Hat Quay 3"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Affected", "package_name": "quay/quay-operator-rhel9", "product_name": "Red Hat Quay 3"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Affected", "package_name": "quay/quay-rhel8", "product_name": "Red Hat Quay 3"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Affected", "package_name": "quay/quay-rhel9", "product_name": "Red Hat Quay 3"}, {"cpe": "cpe:/a:redhat:trusted_artifact_signer:1", "fix_state": "Affected", "package_name": "rhtas/createtree-rhel9", "product_name": "Red Hat Trusted Artifact Signer"}, {"cpe": "cpe:/a:redhat:trusted_artifact_signer:1", "fix_state": "Affected", "package_name": "rhtas/trillian-database-rhel9", "product_name": "Red Hat Trusted Artifact Signer"}, {"cpe": "cpe:/a:redhat:trusted_artifact_signer:1", "fix_state": "Affected", "package_name": "rhtas/trillian-logserver-rhel9", "product_name": "Red Hat Trusted Artifact Signer"}, {"cpe": "cpe:/a:redhat:trusted_artifact_signer:1", "fix_state": "Affected", "package_name": "rhtas/trillian-logsigner-rhel9", "product_name": "Red Hat Trusted Artifact Signer"}, {"cpe": "cpe:/a:redhat:trusted_artifact_signer:1", "fix_state": "Affected", "package_name": "rhtas/updatetree-rhel9", "product_name": "Red Hat Trusted Artifact Signer"}], "public_date": "2026-03-26T19:40:51Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-32286\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-32286\nhttps://github.com/golang/vulndb/issues/4518\nhttps://github.com/jackc/pgx/issues/2507\nhttps://pkg.go.dev/vuln/GO-2026-4518"], "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,2.0.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "github.com/jackc/pgproto3/v2", "source": "cna", "vendor": "github.com/jackc/pgproto3/v2"}, "product": "pgproto3", "vendor": "jackc"}], "analysis": {"en": {"generated_at": "2026-03-28T13:53:26.709878+00:00", "value": {"mitigation_remediation": ["Update the pgproto3 library to the latest patched release from its GitHub repository.", "Verify your dependency lock files (e.g., go.mod and go.sum) to ensure the vulnerable version is not in use.", "If the patch cannot be applied immediately, isolate the affected services, monitor for panic crashes, and restrict traffic from untrusted PostgreSQL servers via firewall rules or network segmentation."], "summary": {"action": "Immediate Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "Any application that incorporates the github.com/jackc/pgproto3/v2 library is at risk, including projects that depend on this library such as pgx. All releases prior to the official fix are potentially vulnerable, as the CVE entry does not supply specific version ranges.", "description_and_impact": "The vulnerability lies in the DataRow.Decode function of the pgproto3 library. It fails to validate field lengths, allowing a malicious PostgreSQL server to send a DataRow message with a negative field length. The library does not check this value, causing a slice bounds error that triggers a panic and crashes the consuming application. This results in a denial of service for the affected process. The weakness corresponds to CWE\u20111285, which indicates improper handling of array bounds or indices.", "risk_and_exploitability": "The CVSS score of 7.5 indicates high impact, yet the EPSS score of less than 1% suggests that exploitation is presently unlikely and it is not listed in the CISA KEV catalog. The attack vector is remote via the PostgreSQL server side; an attacker who can control or compromise a PostgreSQL instance can send the malicious DataRow message. No special client\u2011side privileges are required, though the vulnerable client must accept the connection. Consequently, systems that accept connections from untrusted databases should treat this as sufficiently risky to justify prompt remediation."}}}}, "created": "2026-03-27T08:32:24.696744+00:00", "updated": "2026-03-29T20:27:51.799042+00:00", "vendors": ["jackc", "jackc$PRODUCT$pgproto3"]}