CVE-2026-32286
Slice Bounds Panic in Go DataRow.Decode via Malicious PostgreSQL
Publication date: 2026-03-26
Last updated on: 2026-04-02
Assigner: Go Project
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability occurs when a malicious or compromised PostgreSQL server sends a DataRow message with a negative field length, causing a slice bounds out of range panic in applications using the affected Go package.
Detection can focus on monitoring application logs for panic or crash messages related to slice bounds out of range errors in the DataRow.Decode function or Frontend.Receive symbols.
Network detection could involve capturing and inspecting PostgreSQL protocol traffic to identify DataRow messages with invalid or negative field lengths, though no specific commands are provided.
Since no fixed version or specific detection commands are mentioned, it is recommended to enable detailed logging on the Go application and monitor for unexpected panics or crashes related to PostgreSQL data processing.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include avoiding use of untrusted or compromised PostgreSQL servers, as the vulnerability is triggered by malicious DataRow messages from the server.
Since no fixed version of the affected Go package is available at the time of the report, consider implementing additional input validation or error handling around the DataRow.Decode function to gracefully handle unexpected field lengths.
Monitor for updates or patches to the github.com/jackc/pgproto3/v2 package and apply them as soon as they become available.
Can you explain this vulnerability to me?
The vulnerability affects the DataRow.Decode function in the Go package github.com/jackc/pgproto3/v2. This function does not properly validate the lengths of fields in a DataRow message received from a PostgreSQL server.
A malicious or compromised PostgreSQL server can exploit this by sending a DataRow message with a negative field length. This malformed input causes the Go application using this package to experience a slice bounds out of range panic, which is a runtime error.
How can this vulnerability impact me? :
This vulnerability can cause a Go application that uses the affected package to crash due to a slice bounds out of range panic when processing maliciously crafted DataRow messages from a PostgreSQL server.
Such crashes can lead to denial of service conditions, potentially disrupting application availability and reliability.