CVE-2026-32286Improper Validation of Specified Index, Position, or Offset in Input in Golang-github-jackc-pgproto3

CWE-1285Improper Validation of Specified Index, Position, or Offset in InputCWE-129Improper Validation of Array Index11 documents7 sources
Severity
7.5HIGHNVD
EPSS
0.1%
top 81.81%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Debian Golang-github-jackc-pgproto3Github.com Jackc Pgproto3 V2
Timeline
PublishedMar 26
Latest updateMar 27

Description

The DataRow.Decode function fails to properly validate field lengths. A malicious or compromised PostgreSQL server can send a DataRow message with a negative field length, causing a slice bounds out of range panic.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

debiandebian/golang-github-jackc-pgproto3< golang-github-jackc-pgproto3 2.3.3-2 (forky)
Gogithub.com/jackc_pgproto3_v22.0.02.3.3

🔴Vulnerability Details

3
OSV
CVE-2026-32286: The DataRow2026-03-26
OSV
Denial of service in github.com/jackc/pgproto3/v22026-03-18
GHSA
Denial of service in github.com/jackc/pgproto3/v22026-03-18

📋Vendor Advisories

2
Red Hat
github.com/jackc/pgproto3/v2: github.com/jackc/pgproto3/v2: Denial of Service via malicious PostgreSQL server2026-03-26
Debian
CVE-2026-32286: golang-github-jackc-pgproto3 - The DataRow.Decode function fails to properly validate field lengths. A maliciou...2026

🕵️Threat Intelligence

2
Wiz
CVE-2026-4427 Impact, Exploitability, and Mitigation Steps | Wiz
Wiz
CVE-2026-32286 Impact, Exploitability, and Mitigation Steps | Wiz

💬Community

3
Bugzilla
CVE-2026-32286 inspektor-gadget: github.com/jackc/pgproto3/v2: Denial of Service via malicious PostgreSQL server [fedora-all]2026-03-27
Bugzilla
CVE-2026-32286 github.com/jackc/pgproto3/v2: github.com/jackc/pgproto3/v2: Denial of Service via malicious PostgreSQL server2026-03-26
Bugzilla
CVE-2026-4427 github.com/jackc/pgproto3: pgproto3: Denial of Service via negative field length in DataRow message2026-03-18