CVE-2026-32286

Опубликовано: 26 мар. 2026

Источник: nvd

CVSS3: 7.5

EPSS Низкий

Описание

The DataRow.Decode function fails to properly validate field lengths. A malicious or compromised PostgreSQL server can send a DataRow message with a negative field length, causing a slice bounds out of range panic.

Ссылки

https://github.com/advisories/GHSA-jqcq-xjh3-6g23
Third Party Advisory
https://github.com/golang/vulndb/issues/4518
Issue Tracking
https://github.com/jackc/pgx/issues/2507
Issue Tracking
https://pkg.go.dev/vuln/GO-2026-4518
Patch
Third Party Advisory
https://securityinfinity.com/research/memory-safety-vulnerabilities-in-go-postgresql-wire-protocol-parsers-pgproto3-pgx
Mitigation
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:jackc:pgproto3:*:*:*:*:*:go:*:*

Версия от 2.0.0 (включая) до 2.3.3 (включая)

EPSS

Процентиль: 27%

0.00357

Низкий

7.5 High

CVSS3

Дефекты

CWE-129

Связанные уязвимости

CVE-2026-32286

CVSS3: 7.5

ubuntu

3 месяца назад

CVE-2026-32286

CVSS3: 7.5

redhat

3 месяца назад

CVE-2026-32286

CVSS3: 7.5

debian

3 месяца назад

The DataRow.Decode function fails to properly validate field lengths. ...

GHSA-jqcq-xjh3-6g23

CVSS3: 7.5

github

3 месяца назад

Denial of service in github.com/jackc/pgproto3/v2

RLSA-2026:22714

rocky

16 дней назад

Important: osbuild-composer security update

EPSS

Процентиль: 27%

0.00357

Низкий

7.5 High

CVSS3

Дефекты

CWE-129