Description
The DataRow.Decode function fails to properly validate field lengths. A malicious or compromised PostgreSQL server can send a DataRow message with a negative field length, causing a slice bounds out of range panic.
Published: 2026-03-26
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch
AI Analysis

Impact

The DataRow.Decode function in the Go package github.com/jackc/pgproto3/v2 does not properly validate field lengths. An attacker who can influence the PostgreSQL server to send a DataRow message with a negative field length can trigger a slice bounds out of range panic, causing the client process to crash. This disruption results in a denial of service for any application relying on this library.

Affected Systems

The vulnerability affects the golang library github.com/jackc/pgproto3/v2. Any Go application that imports this package, especially those using the pgx PostgreSQL driver, may be impacted if the application connects to a PostgreSQL instance that can send malformed DataRow messages. No specific version ranges are provided in the advisory.

Risk and Exploitability

Exploitation requires the attacker to control or compromise a PostgreSQL server that can send a malicious DataRow message. The advisory does not provide an EPSS score or CVSS score, and the vulnerability is not listed in the CISA KEV catalog. Because the attack vector involves a database server, the risk is moderate to high for systems that accept connections from untrusted or potentially malicious database instances. The impact is a definitive crash of the client process, leading to service interruption.

Generated by OpenCVE AI on March 26, 2026 at 21:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to the latest release of github.com/jackc/pgproto3/v2 that implements the field length validation fix.
  • Verify that all downstream Go applications and modules use the updated library version.
  • If an immediate patch cannot be applied, isolate the PostgreSQL server from untrusted networks and apply stricter firewall rules to limit which hosts can connect.
  • Monitor application logs for slice bounds out of range panics and investigate any unexpected crashes that may indicate exploitation attempts.

Generated by OpenCVE AI on March 26, 2026 at 21:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 09:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Jackc
Jackc pgproto3
Vendors & Products Jackc
Jackc pgproto3

Thu, 26 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
Description The DataRow.Decode function fails to properly validate field lengths. A malicious or compromised PostgreSQL server can send a DataRow message with a negative field length, causing a slice bounds out of range panic.
Title Denial of service in github.com/jackc/pgproto3/v2
References

Subscriptions

Jackc Pgproto3
cve-icon MITRE

Status: PUBLISHED

Assigner: Go

Published:

Updated: 2026-03-26T19:40:51.974Z

Reserved: 2026-03-11T16:38:46.556Z

Link: CVE-2026-32286

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-03-26T20:16:12.303

Modified: 2026-03-26T20:16:12.303

Link: CVE-2026-32286

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:25:22Z

Weaknesses