Bug 2451847 (CVE-2026-32286) - CVE-2026-32286 github.com/jackc/pgproto3/v2: github.com/jackc/pgproto3/v2: Denial of Service via malicious PostgreSQL server
Summary: CVE-2026-32286 github.com/jackc/pgproto3/v2: github.com/jackc/pgproto3/v2: De...
Keywords:
Status: NEW
Alias: CVE-2026-32286
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
: 2448985 2448986 2448987 2448988 2448989 2448990 2448992 (view as bug list)
Depends On: 2452381 2452382 2452383 2452385 2452386 2452384
Blocks: CVE-2026-4427, GHSA-jqcq-xjh3-6g23
TreeView+ depends on / blocked
 
Reported: 2026-03-26 20:02 UTC by OSIDB Bzimport
Modified: 2026-04-10 17:28 UTC (History)
58 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-03-26 20:02:24 UTC 
The DataRow.Decode function fails to properly validate field lengths. A malicious or compromised PostgreSQL server can send a DataRow message with a negative field length, causing a slice bounds out of range panic.
Comment 2 Rohit Keshri 2026-04-09 05:49:01 UTC 
*** Bug 2448985 has been marked as a duplicate of this bug. ***
Comment 3 Rohit Keshri 2026-04-09 05:50:45 UTC 
*** Bug 2448986 has been marked as a duplicate of this bug. ***
Comment 4 Rohit Keshri 2026-04-09 05:51:36 UTC 
*** Bug 2448987 has been marked as a duplicate of this bug. ***
Comment 5 Rohit Keshri 2026-04-09 05:51:39 UTC 
*** Bug 2448988 has been marked as a duplicate of this bug. ***
Comment 6 Rohit Keshri 2026-04-09 05:51:41 UTC 
*** Bug 2448989 has been marked as a duplicate of this bug. ***
Comment 7 Rohit Keshri 2026-04-09 05:51:59 UTC 
*** Bug 2448990 has been marked as a duplicate of this bug. ***
Comment 8 Rohit Keshri 2026-04-09 05:52:41 UTC 
*** Bug 2448992 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.