2451847 – (CVE-2026-32286) CVE-2026-32286 github.com/jackc/pgproto3/v2: github.com/jackc/pgproto3/v2: Denial of Service via malicious PostgreSQL server

Bug 2451847 (CVE-2026-32286) - CVE-2026-32286 github.com/jackc/pgproto3/v2: github.com/jackc/pgproto3/v2: Denial of Service via malicious PostgreSQL server

Summary: CVE-2026-32286 github.com/jackc/pgproto3/v2: github.com/jackc/pgproto3/v2: De...

Keywords:
Status:	NEW
Alias:	CVE-2026-32286
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2452381 2452382 2452383 2452384 2452385 2452386
Blocks:
TreeView+	depends on / blocked

Reported:	2026-03-26 20:02 UTC by OSIDB Bzimport
Modified:	2026-03-27 19:23 UTC (History)
CC List:	55 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-03-26 20:02:24 UTC

The DataRow.Decode function fails to properly validate field lengths. A malicious or compromised PostgreSQL server can send a DataRow message with a negative field length, causing a slice bounds out of range panic.

Note You need to log in before you can comment on or make changes to this bug.

abuckta
adudiak
agarcial
alcohan
aoconnor
aprice
asegurap
bdettelb
caswilli
ckandaga
cmah
crizzo
dfreiber
dkuc
doconnor
drow
gparvin
gtanzill
jaharrin
jbalunas
jburrell
jbuscemi
jdobes
jeder
jkoehler
jmitchel
jsamir
jsherril
jvasik
kaycoth
kgaikwad
kshier
lball
lgamliel
lphiri
mstipich
ngough
oezr
orabin
pahickey
pbohmill
pvasanth
rblanco
rexwhite
rfreiman
rhaigner
rochandr
stcannon
sthirugn
teagle
veshanka
vkarehfa
vkumar
vmugicag
yguenane