Critical severity9.8NVD Advisory· Published Apr 7, 2026· Updated Apr 14, 2026
CVE-2026-33815
CVE-2026-33815
Description
Memory-safety vulnerability in github.com/jackc/pgx/v5.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/jackc/pgx/v5/pgproto3Go | < 5.9.0 | 5.9.0 |
Affected products
1- cpe:2.3:a:pgx_project:pgx:*:*:*:*:*:go:*:*
Patches
16dbad4cafdb8Guard against negative parameter lengths in Bind messages
2 files changed · +27 −1
pgproto3/bind.go+1 −1 modified@@ -82,7 +82,7 @@ func (dst *Bind) Decode(src []byte) error { continue } - if len(src[rp:]) < msgSize { + if msgSize < 0 || len(src[rp:]) < msgSize { return &invalidMessageFormatErr{messageType: "Bind"} }
pgproto3/bind_test.go+26 −0 modified@@ -7,6 +7,32 @@ import ( "github.com/stretchr/testify/require" ) +// https://github.com/jackc/pgx/issues/2519 +func TestBindDecodeNegativeParameterLength(t *testing.T) { + t.Parallel() + + // Craft a Bind message with a negative parameter length that is not -1. + // This should return an error, not panic. + // + // Message layout: + // - destination portal: "" (1 byte null terminator) + // - prepared statement: "" (1 byte null terminator) + // - parameter format code count: 0 (2 bytes) + // - parameter count: 1 (2 bytes) + // - parameter 0 length: -2 (4 bytes, 0xFFFFFFFE) + src := []byte{ + 0, // destination portal null terminator + 0, // prepared statement null terminator + 0, 0, // parameter format code count = 0 + 0, 1, // parameter count = 1 + 0xFF, 0xFF, 0xFF, 0xFE, // parameter length = -2 + } + + var bind pgproto3.Bind + err := bind.Decode(src) + require.Error(t, err, "Bind.Decode should reject negative parameter length other than -1") +} + func TestBindBiggerThanMaxMessageBodyLen(t *testing.T) { t.Parallel()
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-xgrm-4fwx-7qm8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33815ghsaADVISORY
- pkg.go.dev/vuln/GO-2026-4771nvdThird Party AdvisoryWEB
- github.com/jackc/pgx/v5ghsaPACKAGE
- github.com/jackc/pgx/commit/6dbad4cafdb8a4daab7ff79c858c95da4b6109e8ghsaWEB
- github.com/jackc/pgx/issues/2519ghsaWEB
- github.com/jackc/pgx/issues/2530ghsaWEB
News mentions
0No linked articles in our index yet.