CVE-2026-32286
Analyzed Analyzed - Analysis Complete
Slice Bounds Panic in Go DataRow.Decode via Malicious PostgreSQL

Publication date: 2026-03-26

Last updated on: 2026-06-03

Assigner: Go Project

Description
The DataRow.Decode function fails to properly validate field lengths. A malicious or compromised PostgreSQL server can send a DataRow message with a negative field length, causing a slice bounds out of range panic.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-26
Last Modified
2026-06-03
Generated
2026-06-16
AI Q&A
2026-03-26
EPSS Evaluated
2026-06-15
NVD
CVE-2026-32286
EUVD
EUVD-2026-16347
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
jackc pgproto3 From 2.0.0 (inc) to 2.3.3 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-129 The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability affects the DataRow.Decode function in the Go package github.com/jackc/pgproto3/v2. This function does not properly validate the lengths of fields in a DataRow message received from a PostgreSQL server.

A malicious or compromised PostgreSQL server can exploit this by sending a DataRow message with a negative field length. This malformed input causes the Go application using this package to experience a slice bounds out of range panic, which is a runtime error.

Impact Analysis

This vulnerability can cause a Go application that uses the affected package to crash due to a slice bounds out of range panic when processing maliciously crafted DataRow messages from a PostgreSQL server.

Such crashes can lead to denial of service conditions, potentially disrupting application availability and reliability.

Detection Guidance

This vulnerability occurs when a malicious or compromised PostgreSQL server sends a DataRow message with a negative field length, causing a slice bounds out of range panic in applications using the affected Go package.

Detection can focus on monitoring application logs for panic or crash messages related to slice bounds out of range errors in the DataRow.Decode function or Frontend.Receive symbols.

Network detection could involve capturing and inspecting PostgreSQL protocol traffic to identify DataRow messages with invalid or negative field lengths, though no specific commands are provided.

Since no fixed version or specific detection commands are mentioned, it is recommended to enable detailed logging on the Go application and monitor for unexpected panics or crashes related to PostgreSQL data processing.

Mitigation Strategies

Immediate mitigation steps include avoiding use of untrusted or compromised PostgreSQL servers, as the vulnerability is triggered by malicious DataRow messages from the server.

Since no fixed version of the affected Go package is available at the time of the report, consider implementing additional input validation or error handling around the DataRow.Decode function to gracefully handle unexpected field lengths.

Monitor for updates or patches to the github.com/jackc/pgproto3/v2 package and apply them as soon as they become available.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32286. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart