Description
Memory-safety vulnerability in github.com/jackc/pgx/v5.
Published: 2026-04-07
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Memory Safety Vulnerability
Action: Immediate Patch
AI Analysis

Impact

The reported issue is a memory‑safety flaw in the pgx v5 Go database driver. The vulnerability allows unchecked read or write operations on arbitrary memory regions, which can cause an application crash or leak sensitive data. The consequences influence the confidentiality, integrity, and availability of software that relies on the driver.

Affected Systems

The flaw applies to the pgx_project’s v5 package and its nested pgproto3 module. No specific version range is noted, implying any deployment of pgx v5 that has not updated to the latest release may be vulnerable. This includes Go applications that import github.com/jackc/pgx/v5 directly or indirectly through other modules.

Risk and Exploitability

The CVSS score of 9.8 categorizes this as a critical vulnerability, while the EPSS score of less than 1% suggests that exploitation is currently rare. The most plausible attack path involves a malicious client sending crafted database or protocol frames to a Go service that uses pgx, resulting in memory corruption. Though the precise attack vector is not detailed in the description, this inference is based on the nature of the driver and typical client-server interactions.

Generated by OpenCVE AI on April 14, 2026 at 23:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade pgx to the most recent version that contains the fix and rebuild your application.
  • Verify that all dependent modules reference the updated pgx version and that no older copies remain in the dependency tree.
  • If an immediate upgrade is not feasible, isolate the database access layer, restrict the inputs it accepts, and monitor traffic for anomalous frames that could trigger the fault.
  • Stay alert to new advisories from the pgx project on the Go package index or GitHub repository for further remediation guidance.

Generated by OpenCVE AI on April 14, 2026 at 23:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-xgrm-4fwx-7qm8 pgx contains memory-safety vulnerability
History

Tue, 14 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Pgx Project
Pgx Project pgx
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:pgx_project:pgx:*:*:*:*:*:go:*:*
Vendors & Products Pgx Project
Pgx Project pgx

Thu, 09 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Jackc
Jackc pgx
Vendors & Products Jackc
Jackc pgx

Wed, 08 Apr 2026 12:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-787
References
Metrics threat_severity

None

 cvssV3_1

{'score': 8.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L'}

threat_severity

Important

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Description Memory-safety vulnerability in github.com/jackc/pgx/v5.
Title CVE-2026-33815 in github.com/jackc/pgx
References

Subscriptions

Jackc Pgx
Pgx Project Pgx
cve-icon MITRE

Status: PUBLISHED

Assigner: Go

Published:

Updated: 2026-04-17T18:30:29.157Z

Reserved: 2026-03-23T20:35:32.814Z

Link: CVE-2026-33815

cve-icon Vulnrichment

Updated: 2026-04-09T14:23:19.769Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-07T16:16:24.813

Modified: 2026-04-14T19:58:43.900

Link: CVE-2026-33815

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-07T15:19:24Z

Links: CVE-2026-33815 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T16:30:09Z

Weaknesses