Description
Memory-safety vulnerability in github.com/jackc/pgx/v5.
Published: 2026-04-07
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The issue is a memory‑safety flaw in the pgx Go PostgreSQL driver that allows an out‑of‑bounds write (CWE‑787). A malformed response from a database could overwrite adjacent memory in the Go process, potentially enabling arbitrary code execution, data corruption, or denial of service for any application that links against pgx.

Affected Systems

The vulnerability resides in the official pgx project under github.com/jackc/pgx/v5 and its pgproto3 component. The CNA does not provide specific version ranges, implying that any release of v5 containing the vulnerable code may be affected. Administrators should review their Go module dependencies to confirm whether the library is present in their builds.

Risk and Exploitability

With a CVSS score of 9.8 the flaw is considered critical, yet the EPSS score is below 1%. It is not listed in CISA’s KEV catalog. The likely attack path involves a crafted PostgreSQL payload processed by an application that uses pgx, which could allow an attacker to write arbitrary data to memory and potentially execute code. The risk remains significant for services exposed to untrusted database traffic, and urgent remediation is advised.

Generated by OpenCVE AI on April 14, 2026 at 22:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade pgx to the latest patched version released by the project.
  • Test the updated library in a staging environment to verify application functionality.
  • If an upgrade cannot be performed immediately, isolate the affected component and monitor logs for anomalous database traffic that could indicate exploitation attempts.

Generated by OpenCVE AI on April 14, 2026 at 22:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-9jj7-4m8r-rfcm Memory-safety vulnerability in github.com/jackc/pgx/v5.
History

Tue, 14 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Pgx Project
Pgx Project pgx
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:pgx_project:pgx:*:*:*:*:*:go:*:*
Vendors & Products Pgx Project
Pgx Project pgx

Thu, 09 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Jackc
Jackc pgx
Vendors & Products Jackc
Jackc pgx

Wed, 08 Apr 2026 12:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-787
References
Metrics threat_severity

None

 cvssV3_1

{'score': 8.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L'}

threat_severity

Important

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Description Memory-safety vulnerability in github.com/jackc/pgx/v5.
Title CVE-2026-33816 in github.com/jackc/pgx
References

Subscriptions

Jackc Pgx
Pgx Project Pgx
cve-icon MITRE

Status: PUBLISHED

Assigner: Go

Published:

Updated: 2026-04-15T15:49:13.116Z

Reserved: 2026-03-23T20:35:32.814Z

Link: CVE-2026-33816

cve-icon Vulnrichment

Updated: 2026-04-09T14:26:04.652Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-07T16:16:24.920

Modified: 2026-04-14T20:01:07.160

Link: CVE-2026-33816

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-07T15:19:24Z

Links: CVE-2026-33816 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T16:30:09Z

Weaknesses