High severity7.5NVD Advisory· Published Mar 26, 2026· Updated Jun 3, 2026
CVE-2026-32286
CVE-2026-32286
Description
The DataRow.Decode function fails to properly validate field lengths. A malicious or compromised PostgreSQL server can send a DataRow message with a negative field length, causing a slice bounds out of range panic.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/jackc/pgproto3/v2Go | >= 2.0.0, <= 2.3.3 | — |
Affected products
39- osv-coords37 versionspkg:apk/chainguard/bentopkg:apk/chainguard/bento-fipspkg:apk/chainguard/flytepkg:apk/chainguard/grafana-alloypkg:apk/chainguard/grafana-alloy-fipspkg:apk/chainguard/harbor-2.15-registryctlpkg:apk/chainguard/harbor-fips-2.15-registryctlpkg:apk/chainguard/splunk-otel-collectorpkg:apk/chainguard/splunk-otel-collector-fipspkg:apk/chainguard/srcpkg:apk/chainguard/steampipepkg:apk/chainguard/telegraf-1.37pkg:apk/chainguard/telegraf-1.38pkg:apk/chainguard/teleport-17pkg:apk/chainguard/teleport-17-operatorpkg:apk/chainguard/teleport-18pkg:apk/chainguard/teleport-18.6pkg:apk/chainguard/teleport-18.6-operatorpkg:apk/chainguard/teleport-18-operatorpkg:apk/chainguard/teleport-operator-fips-16pkg:apk/chainguard/teleport-operator-fips-17pkg:apk/chainguard/teleport-operator-fips-18pkg:apk/wolfi/bentopkg:apk/wolfi/flytepkg:apk/wolfi/grafana-alloypkg:apk/wolfi/splunk-otel-collectorpkg:apk/wolfi/srcpkg:apk/wolfi/steampipepkg:apk/wolfi/telegraf-1.37pkg:apk/wolfi/telegraf-1.38pkg:apk/wolfi/teleport-17pkg:apk/wolfi/teleport-18pkg:apk/wolfi/teleport-18.6pkg:apk/wolfi/teleport-18.6-operatorpkg:apk/wolfi/teleport-18-operatorpkg:golang/github.com/jackc/pgproto3/v2pkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.6
< 1.16.1-r1+ 36 more
- (no CPE)range: < 1.16.1-r1
- (no CPE)range: < 1.16.1-r1
- (no CPE)range: < 0
- (no CPE)range: < 1.17.0-r0
- (no CPE)range: < 1.17.0-r0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0.154.0-r0
- (no CPE)range: < 0.154.0-r0
- (no CPE)range: < 0
- (no CPE)range: < 2.4.0-r4
- (no CPE)range: < 1.37.3-r7
- (no CPE)range: < 1.38.1-r2
- (no CPE)range: < 17.7.23-r0
- (no CPE)range: < 17.7.23-r0
- (no CPE)range: < 18.7.6-r0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 18.7.6-r0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 1.16.1-r1
- (no CPE)range: < 0
- (no CPE)range: < 1.17.0-r0
- (no CPE)range: < 0.154.0-r0
- (no CPE)range: < 0
- (no CPE)range: < 2.4.0-r4
- (no CPE)range: < 1.37.3-r7
- (no CPE)range: < 1.38.1-r2
- (no CPE)range: < 17.7.23-r0
- (no CPE)range: < 18.7.6-r0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 18.7.6-r0
- (no CPE)range: >= 2.0.0, <= 2.3.3
- (no CPE)range: < 0.0.20260326T203309-150000.1.155.2
Patches
Vulnerability mechanics
References
7- pkg.go.dev/vuln/GO-2026-4518nvdPatchThird Party AdvisoryWEB
- github.com/advisories/GHSA-jqcq-xjh3-6g23nvdThird Party AdvisoryADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-32286ghsaADVISORY
- securityinfinity.com/research/memory-safety-vulnerabilities-in-go-postgresql-wire-protocol-parsers-pgproto3-pgxnvdMitigationThird Party AdvisoryWEB
- bugzilla.redhat.com/show_bug.cgighsaWEB
- github.com/golang/vulndb/issues/4518nvdIssue TrackingWEB
- github.com/jackc/pgx/issues/2507nvdIssue TrackingWEB
News mentions
0No linked articles in our index yet.