CVE-2026-33815
Memory Safety Vulnerability in pgx/v5 Risks Data Integrity
Publication date: 2026-04-07
Last updated on: 2026-04-14
Assigner: Go Project
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pgx_project | pgx | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The CVE-2026-33815 vulnerability is a memory-safety issue affecting the Go package github.com/jackc/pgx/v5, specifically within the pgproto3 subpackage.
It involves the functions Backend.Receive and Bind.Decode, which are implicated in the memory-safety flaw.
All versions of this package are affected, and there are no known fixed versions available at the time of the report.
How can this vulnerability impact me? :
This memory-safety vulnerability could potentially lead to issues such as application crashes, data corruption, or exploitation by attackers to execute arbitrary code or cause denial of service.
Since it affects core functions in the pgx package used for PostgreSQL communication, any application relying on this package might be at risk.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability affects all versions of the github.com/jackc/pgx/v5 package with no known fixed versions available at the time of the report.
Since no fixed versions are available, immediate mitigation steps include avoiding the use of the vulnerable functions Backend.Receive and Bind.Decode within the pgproto3 subpackage, or limiting exposure by restricting access to systems using this package.
Monitoring for updates or patches from the package maintainers and applying them as soon as they become available is also recommended.