CVE-2026-32286 (GCVE-0-2026-32286)

Vulnerability from cvelistv5 – Published: 2026-03-26 19:40 – Updated: 2026-07-01 12:04
VLAI
Title
Denial of service in github.com/jackc/pgproto3/v2
Summary
The DataRow.Decode function fails to properly validate field lengths. A malicious or compromised PostgreSQL server can send a DataRow message with a negative field length, causing a slice bounds out of range panic.
SSVC
Exploitation: poc Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-125 - Out-of-bounds Read
  • CWE-1285 - Improper Validation of Specified Index, Position, or Offset in Input
Assigner
Go
References
URL Tags
https://github.com/advisories/GHSA-jqcq-xjh3-6g23
https://github.com/jackc/pgx/issues/2507
https://github.com/golang/vulndb/issues/4518
https://pkg.go.dev/vuln/GO-2026-4518
https://securityinfinity.com/research/memory-safe… exploit
https://access.redhat.com/security/cve/CVE-2026-32286 vdb-entryx_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2451847 issue-trackingx_refsource_REDHAT
https://security.access.redhat.com/data/csaf/v2/v… x_sadp-csaf-vex
https://access.redhat.com/errata/RHSA-2026:22450 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:22714 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:22423 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:22347 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:21769 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:23345 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:11070 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:11217 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:11916 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:11856 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:21017 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:24853 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:19375 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:22465 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:11996 vendor-advisoryx_refsource_REDHAT
Impacted products
Vendor Product Version
github.com/jackc/pgproto3/v2 github.com/jackc/pgproto3/v2 Unaffected: 0 , < 2.0.0 (semver)
Create a notification for this product.
Red Hat Red Hat Enterprise Linux AppStream (v. 10)     cpe:/o:redhat:enterprise_linux:10.2
Create a notification for this product.
Red Hat Red Hat Enterprise Linux AppStream (v. 9)     cpe:/a:redhat:enterprise_linux:9::appstream
Create a notification for this product.
Red Hat Multicluster Global Hub 1.3.4     cpe:/a:redhat:multicluster_globalhub:1.3::el9
Create a notification for this product.
Red Hat Multicluster Global Hub 1.4.5     cpe:/a:redhat:multicluster_globalhub:1.4::el9
Create a notification for this product.
Red Hat Multicluster Global Hub 1.5.4     cpe:/a:redhat:multicluster_globalhub:1.5::el9
Create a notification for this product.
Red Hat Multicluster Global Hub 1.6.2     cpe:/a:redhat:multicluster_globalhub:1.6::el9
Create a notification for this product.
Red Hat Red Hat Advanced Cluster Security for Kubernetes 4.8     cpe:/a:redhat:advanced_cluster_security:4.8::el8
Create a notification for this product.
Red Hat Red Hat Quay 3.10     cpe:/a:redhat:quay:3.10::el8
Create a notification for this product.
Red Hat Red Hat Quay 3.12     cpe:/a:redhat:quay:3.12::el8
Create a notification for this product.
Red Hat Red Hat Quay 3.14     cpe:/a:redhat:quay:3.14::el8
Create a notification for this product.
Red Hat Red Hat Quay 3.15     cpe:/a:redhat:quay:3.15::el8
Create a notification for this product.
Red Hat Red Hat Quay 3.16     cpe:/a:redhat:quay:3.16::el9
Create a notification for this product.
Red Hat Red Hat Quay 3.17     cpe:/a:redhat:quay:3.17::el9
Create a notification for this product.
Red Hat Red Hat Quay 3.9     cpe:/a:redhat:quay:3.9::el8
Create a notification for this product.
Red Hat Assisted Installer for Red Hat OpenShift Container Platform 2     cpe:/a:redhat:assisted_installer:2
Create a notification for this product.
Red Hat Multicluster Engine for Kubernetes     cpe:/a:redhat:multicluster_engine
Create a notification for this product.
Red Hat Red Hat Advanced Cluster Management for Kubernetes 2     cpe:/a:redhat:acm:2
Create a notification for this product.
Red Hat Red Hat Enterprise Linux 8     cpe:/o:redhat:enterprise_linux:8
Create a notification for this product.
Red Hat Red Hat OpenShift AI (RHOAI)     cpe:/a:redhat:openshift_ai
Create a notification for this product.
Red Hat Red Hat OpenShift Cluster Manager CLI     cpe:/a:redhat:openshift_cluster_manager_cli:1
Create a notification for this product.
Red Hat Red Hat OpenShift on AWS     cpe:/a:redhat:openshift_service_on_aws:1
Create a notification for this product.
Red Hat Red Hat Quay 3     cpe:/a:redhat:quay:3
Create a notification for this product.
Red Hat Multicluster Global Hub     cpe:/a:redhat:multicluster_globalhub
Create a notification for this product.
Red Hat Red Hat Advanced Cluster Security 4     cpe:/a:redhat:advanced_cluster_security:4
Create a notification for this product.
Red Hat Red Hat Hardened Images     cpe:/a:redhat:hummingbird:1
Create a notification for this product.
Red Hat Red Hat OpenShift Container Platform 4     cpe:/a:redhat:openshift:4
Create a notification for this product.
Red Hat Red Hat Trusted Artifact Signer     cpe:/a:redhat:trusted_artifact_signer:1
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-32286",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-30T14:08:15.986882Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-30T14:55:11.942Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://securityinfinity.com/research/memory-safety-vulnerabilities-in-go-postgresql-wire-protocol-parsers-pgproto3-pgx"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      },
      {
        "affected": [
          {
            "cpes": [
              "cpe:/o:redhat:enterprise_linux:10.2"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux AppStream (v. 10)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:enterprise_linux:9::appstream"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux AppStream (v. 9)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:multicluster_globalhub:1.3::el9"
            ],
            "defaultStatus": "affected",
            "product": "Multicluster Global Hub 1.3.4",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:multicluster_globalhub:1.4::el9"
            ],
            "defaultStatus": "affected",
            "product": "Multicluster Global Hub 1.4.5",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:multicluster_globalhub:1.5::el9"
            ],
            "defaultStatus": "affected",
            "product": "Multicluster Global Hub 1.5.4",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:multicluster_globalhub:1.6::el9"
            ],
            "defaultStatus": "affected",
            "product": "Multicluster Global Hub 1.6.2",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:advanced_cluster_security:4.8::el8"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Advanced Cluster Security for Kubernetes 4.8",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:quay:3.10::el8"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Quay 3.10",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:quay:3.12::el8"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Quay 3.12",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:quay:3.14::el8"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Quay 3.14",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:quay:3.15::el8"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Quay 3.15",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:quay:3.16::el9"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Quay 3.16",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:quay:3.17::el9"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Quay 3.17",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:quay:3.9::el8"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Quay 3.9",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:assisted_installer:2"
            ],
            "defaultStatus": "affected",
            "product": "Assisted Installer for Red Hat OpenShift Container Platform 2",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:multicluster_engine"
            ],
            "defaultStatus": "affected",
            "product": "Multicluster Engine for Kubernetes",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:acm:2"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Advanced Cluster Management for Kubernetes 2",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/o:redhat:enterprise_linux:8"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux 8",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:openshift_ai"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat OpenShift AI (RHOAI)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:openshift_cluster_manager_cli:1"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat OpenShift Cluster Manager CLI",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:openshift_service_on_aws:1"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat OpenShift on AWS",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:quay:3"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Quay 3",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:multicluster_globalhub"
            ],
            "defaultStatus": "unaffected",
            "product": "Multicluster Global Hub",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:advanced_cluster_security:4"
            ],
            "defaultStatus": "unaffected",
            "product": "Red Hat Advanced Cluster Security 4",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:hummingbird:1"
            ],
            "defaultStatus": "unaffected",
            "product": "Red Hat Hardened Images",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:openshift:4"
            ],
            "defaultStatus": "unaffected",
            "product": "Red Hat OpenShift Container Platform 4",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:trusted_artifact_signer:1"
            ],
            "defaultStatus": "unaffected",
            "product": "Red Hat Trusted Artifact Signer",
            "vendor": "Red Hat"
          }
        ],
        "datePublic": "2026-03-26T19:40:51.974Z",
        "descriptions": [
          {
            "lang": "en",
            "value": "A flaw was found in the DataRow.Decode function within the github.com/jackc/pgproto3/v2 component. A malicious or compromised PostgreSQL server can exploit this by sending a DataRow message containing a negative field length. This improper validation of field lengths leads to a \"slice bounds out of range panic\", resulting in a Denial of Service (DoS) for the affected application."
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "namespace": "https://access.redhat.com/security/updates/classification/",
                "value": "Important"
              },
              "type": "Red Hat severity rating"
            }
          },
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            },
            "format": "CVSS"
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-1285",
                "description": "Improper Validation of Specified Index, Position, or Offset in Input",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-01T12:04:50.953Z",
          "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
          "shortName": "redhat-SADP"
        },
        "references": [
          {
            "tags": [
              "vdb-entry",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/security/cve/CVE-2026-32286"
          },
          {
            "name": "RHBZ#2451847",
            "tags": [
              "issue-tracking",
              "x_refsource_REDHAT"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451847"
          },
          {
            "tags": [
              "x_sadp-csaf-vex"
            ],
            "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-32286.json"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:22450"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:22714"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:22423"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:22347"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:21769"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:23345"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:11070"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:11217"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:11916"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:11856"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:21017"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:24853"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:19375"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:22465"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:11996"
          }
        ],
        "solutions": [
          {
            "lang": "en",
            "value": "RHSA-2026:22450: Red Hat Enterprise Linux AppStream (v. 10)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:22714: Red Hat Enterprise Linux AppStream (v. 9)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:22423: Multicluster Global Hub 1.3.4"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:22347: Multicluster Global Hub 1.4.5"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:21769: Multicluster Global Hub 1.5.4"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:23345: Multicluster Global Hub 1.6.2"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:11070: Red Hat Advanced Cluster Security for Kubernetes 4.8"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:11217: Red Hat Advanced Cluster Security for Kubernetes 4.8"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:11916: Red Hat Quay 3.10"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:11856: Red Hat Quay 3.12"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:21017: Red Hat Quay 3.14"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:24853: Red Hat Quay 3.15"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:19375: Red Hat Quay 3.16"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:22465: Red Hat Quay 3.17"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:11996: Red Hat Quay 3.9"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2026-03-26T20:01:59.226Z",
            "value": "Reported to Red Hat."
          },
          {
            "lang": "en",
            "time": "2026-03-26T19:40:51.974Z",
            "value": "Made public."
          }
        ],
        "title": "github.com/jackc/pgproto3/v2: github.com/jackc/pgproto3/v2: Denial of Service via malicious PostgreSQL server",
        "workarounds": [
          {
            "lang": "en",
            "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
          }
        ],
        "x_adpType": "supplier",
        "x_generator": {
          "engine": "sadp-cli 1.0.0"
        }
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "affected",
          "packageName": "github.com/jackc/pgproto3/v2",
          "product": "github.com/jackc/pgproto3/v2",
          "programRoutines": [
            {
              "name": "DataRow.Decode"
            },
            {
              "name": "Frontend.Receive"
            }
          ],
          "vendor": "github.com/jackc/pgproto3/v2",
          "versions": [
            {
              "lessThan": "2.0.0",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The DataRow.Decode function fails to properly validate field lengths. A malicious or compromised PostgreSQL server can send a DataRow message with a negative field length, causing a slice bounds out of range panic."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-125: Out-of-bounds Read",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-02T19:08:53.981Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://github.com/advisories/GHSA-jqcq-xjh3-6g23"
        },
        {
          "url": "https://github.com/jackc/pgx/issues/2507"
        },
        {
          "url": "https://github.com/golang/vulndb/issues/4518"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2026-4518"
        }
      ],
      "title": "Denial of service in github.com/jackc/pgproto3/v2"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2026-32286",
    "datePublished": "2026-03-26T19:40:51.974Z",
    "dateReserved": "2026-03-11T16:38:46.556Z",
    "dateUpdated": "2026-07-01T12:04:50.953Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-32286",
      "date": "2026-07-02",
      "epss": "0.00494",
      "percentile": "0.38786"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-32286\",\"sourceIdentifier\":\"security@golang.org\",\"published\":\"2026-03-26T20:16:12.303\",\"lastModified\":\"2026-07-01T13:17:02.540\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The DataRow.Decode function fails to properly validate field lengths. A malicious or compromised PostgreSQL server can send a DataRow message with a negative field length, causing a slice bounds out of range panic.\"},{\"lang\":\"es\",\"value\":\"La funci\u00f3n DataRow.Decode no valida correctamente las longitudes de los campos. Un servidor PostgreSQL malicioso o comprometido puede enviar un mensaje DataRow con una longitud de campo negativa, causando un p\u00e1nico de desbordamiento de l\u00edmites de slice.\"}],\"affected\":[{\"source\":\"security@golang.org\",\"affectedData\":[{\"vendor\":\"github.com/jackc/pgproto3/v2\",\"product\":\"github.com/jackc/pgproto3/v2\",\"defaultStatus\":\"affected\",\"collectionURL\":\"https://pkg.go.dev\",\"packageName\":\"github.com/jackc/pgproto3/v2\",\"programRoutines\":[{\"name\":\"DataRow.Decode\"},{\"name\":\"Frontend.Receive\"}],\"versions\":[{\"version\":\"0\",\"lessThan\":\"2.0.0\",\"versionType\":\"semver\",\"status\":\"unaffected\"}]}]},{\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\",\"affectedData\":[{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux AppStream (v. 10)\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/o:redhat:enterprise_linux:10.2\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux AppStream (v. 9)\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:enterprise_linux:9::appstream\"]},{\"vendor\":\"Red Hat\",\"product\":\"Multicluster Global Hub 1.3.4\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:multicluster_globalhub:1.3::el9\"]},{\"vendor\":\"Red Hat\",\"product\":\"Multicluster Global Hub 1.4.5\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:multicluster_globalhub:1.4::el9\"]},{\"vendor\":\"Red Hat\",\"product\":\"Multicluster Global Hub 1.5.4\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:multicluster_globalhub:1.5::el9\"]},{\"vendor\":\"Red Hat\",\"product\":\"Multicluster Global Hub 1.6.2\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:multicluster_globalhub:1.6::el9\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Advanced Cluster Security for Kubernetes 4.8\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:advanced_cluster_security:4.8::el8\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Quay 3.10\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:quay:3.10::el8\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Quay 3.12\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:quay:3.12::el8\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Quay 3.14\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:quay:3.14::el8\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Quay 3.15\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:quay:3.15::el8\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Quay 3.16\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:quay:3.16::el9\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Quay 3.17\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:quay:3.17::el9\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Quay 3.9\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:quay:3.9::el8\"]},{\"vendor\":\"Red Hat\",\"product\":\"Assisted Installer for Red Hat OpenShift Container Platform 2\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:assisted_installer:2\"]},{\"vendor\":\"Red Hat\",\"product\":\"Multicluster Engine for Kubernetes\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:multicluster_engine\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Advanced Cluster Management for Kubernetes 2\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:acm:2\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux 8\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/o:redhat:enterprise_linux:8\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat OpenShift AI (RHOAI)\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:openshift_ai\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat OpenShift Cluster Manager CLI\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:openshift_cluster_manager_cli:1\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat OpenShift on AWS\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:openshift_service_on_aws:1\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Quay 3\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:quay:3\"]},{\"vendor\":\"Red Hat\",\"product\":\"Multicluster Global Hub\",\"defaultStatus\":\"unaffected\",\"cpes\":[\"cpe:/a:redhat:multicluster_globalhub\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Advanced Cluster Security 4\",\"defaultStatus\":\"unaffected\",\"cpes\":[\"cpe:/a:redhat:advanced_cluster_security:4\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Hardened Images\",\"defaultStatus\":\"unaffected\",\"cpes\":[\"cpe:/a:redhat:hummingbird:1\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat OpenShift Container Platform 4\",\"defaultStatus\":\"unaffected\",\"cpes\":[\"cpe:/a:redhat:openshift:4\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Trusted Artifact Signer\",\"defaultStatus\":\"unaffected\",\"cpes\":[\"cpe:/a:redhat:trusted_artifact_signer:1\"]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6},{\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2026-03-30T14:08:15.986882Z\",\"id\":\"CVE-2026-32286\",\"options\":[{\"exploitation\":\"poc\"},{\"automatable\":\"yes\"},{\"technicalImpact\":\"partial\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-129\"}]},{\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-1285\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:jackc:pgproto3:*:*:*:*:*:go:*:*\",\"versionStartIncluding\":\"2.0.0\",\"versionEndIncluding\":\"2.3.3\",\"matchCriteriaId\":\"C7421789-D5FC-421F-A35D-B5B66FFAC4B3\"}]}]}],\"references\":[{\"url\":\"https://github.com/advisories/GHSA-jqcq-xjh3-6g23\",\"source\":\"security@golang.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/golang/vulndb/issues/4518\",\"source\":\"security@golang.org\",\"tags\":[\"Issue Tracking\"]},{\"url\":\"https://github.com/jackc/pgx/issues/2507\",\"source\":\"security@golang.org\",\"tags\":[\"Issue Tracking\"]},{\"url\":\"https://pkg.go.dev/vuln/GO-2026-4518\",\"source\":\"security@golang.org\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:11070\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:11217\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:11856\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:11916\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:11996\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:19375\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:21017\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:21769\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:22347\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:22423\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:22450\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:22465\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:22714\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:23345\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:24853\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/security/cve/CVE-2026-32286\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=2451847\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-32286.json\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://securityinfinity.com/research/memory-safety-vulnerabilities-in-go-postgresql-wire-protocol-parsers-pgproto3-pgx\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Mitigation\",\"Third Party Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-32286\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-30T14:08:15.986882Z\"}}}], \"references\": [{\"url\": \"https://securityinfinity.com/research/memory-safety-vulnerabilities-in-go-postgresql-wire-protocol-parsers-pgproto3-pgx\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-30T14:08:56.643Z\"}}], \"cna\": {\"title\": \"Denial of service in github.com/jackc/pgproto3/v2\", \"affected\": [{\"vendor\": \"github.com/jackc/pgproto3/v2\", \"product\": \"github.com/jackc/pgproto3/v2\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"0\", \"lessThan\": \"2.0.0\", \"versionType\": \"semver\"}], \"packageName\": \"github.com/jackc/pgproto3/v2\", \"collectionURL\": \"https://pkg.go.dev\", \"defaultStatus\": \"affected\", \"programRoutines\": [{\"name\": \"DataRow.Decode\"}, {\"name\": \"Frontend.Receive\"}]}], \"references\": [{\"url\": \"https://github.com/advisories/GHSA-jqcq-xjh3-6g23\"}, {\"url\": \"https://github.com/jackc/pgx/issues/2507\"}, {\"url\": \"https://github.com/golang/vulndb/issues/4518\"}, {\"url\": \"https://pkg.go.dev/vuln/GO-2026-4518\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"The DataRow.Decode function fails to properly validate field lengths. A malicious or compromised PostgreSQL server can send a DataRow message with a negative field length, causing a slice bounds out of range panic.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"description\": \"CWE-125: Out-of-bounds Read\"}]}], \"providerMetadata\": {\"orgId\": \"1bb62c36-49e3-4200-9d77-64a1400537cc\", \"shortName\": \"Go\", \"dateUpdated\": \"2026-04-02T19:08:53.981Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-32286\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-04-02T19:08:53.981Z\", \"dateReserved\": \"2026-03-11T16:38:46.556Z\", \"assignerOrgId\": \"1bb62c36-49e3-4200-9d77-64a1400537cc\", \"datePublished\": \"2026-03-26T19:40:51.974Z\", \"assignerShortName\": \"Go\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…