CVE-2026-33816
Memory Safety Vulnerability in github.com/jackc/pgx/v5 Library
Publication date: 2026-04-07
Last updated on: 2026-04-14
Assigner: Go Project
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pgx_project | pgx | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The CVE-2026-33816 vulnerability is a memory-safety issue affecting the Go package github.com/jackc/pgx/v5, specifically within all versions of the pgproto3 subpackage.
It occurs in the Backend.Receive and FunctionCall.Decode functions.
This vulnerability could potentially lead to memory corruption or related security risks when these functions are used.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of the CVE-2026-33816 memory-safety vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability impact me? :
This memory-safety vulnerability could lead to memory corruption or other related security risks.
Such issues might cause unexpected behavior, crashes, or potentially allow an attacker to exploit the system using these functions.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The vulnerability affects the Go package github.com/jackc/pgx/v5, specifically the pgproto3 subpackage's Backend.Receive and FunctionCall.Decode functions. Detection would involve identifying usage of these functions within your applications.
Since this is a memory-safety issue in specific Go package functions, detection on a network or system level is not straightforward through network commands.
You can check your Go modules for the presence of the vulnerable package by running commands like:
- go list -m all | grep github.com/jackc/pgx/v5
- grep -r 'Backend.Receive' ./path/to/your/project
- grep -r 'FunctionCall.Decode' ./path/to/your/project
These commands help identify if your codebase uses the vulnerable functions, which is the primary indicator of exposure.
What immediate steps should I take to mitigate this vulnerability?
As of the report date, there are no known fixed versions of the vulnerable package.
Immediate mitigation steps include:
- Avoid using the Backend.Receive and FunctionCall.Decode functions from the pgproto3 subpackage if possible.
- Review and audit your code for usage of the vulnerable functions and consider alternative implementations or workarounds.
- Monitor the official package repository and vulnerability announcements for patches or updates.
Additionally, apply general memory safety best practices and consider running your applications with memory sanitizers or other runtime checks to detect potential issues.