CVE-2026-33816
Modified Modified - Updated After Analysis

Memory Safety Vulnerability in github.com/jackc/pgx/v5 Library

Vulnerability report for CVE-2026-33816, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-04-07

Last updated on: 2026-06-30

Assigner: Go Project

Description

Memory-safety vulnerability in github.com/jackc/pgx/v5.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-04-07
Last Modified
2026-06-30
Generated
2026-07-06
AI Q&A
2026-04-08
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
jackc pgx to 5.9.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of the CVE-2026-33816 memory-safety vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

The CVE-2026-33816 vulnerability is a memory-safety issue affecting the Go package github.com/jackc/pgx/v5, specifically within all versions of the pgproto3 subpackage.

It occurs in the Backend.Receive and FunctionCall.Decode functions.

This vulnerability could potentially lead to memory corruption or related security risks when these functions are used.

Impact Analysis

This memory-safety vulnerability could lead to memory corruption or other related security risks.

Such issues might cause unexpected behavior, crashes, or potentially allow an attacker to exploit the system using these functions.

Detection Guidance

The vulnerability affects the Go package github.com/jackc/pgx/v5, specifically the pgproto3 subpackage's Backend.Receive and FunctionCall.Decode functions. Detection would involve identifying usage of these functions within your applications.

Since this is a memory-safety issue in specific Go package functions, detection on a network or system level is not straightforward through network commands.

You can check your Go modules for the presence of the vulnerable package by running commands like:

  • go list -m all | grep github.com/jackc/pgx/v5
  • grep -r 'Backend.Receive' ./path/to/your/project
  • grep -r 'FunctionCall.Decode' ./path/to/your/project

These commands help identify if your codebase uses the vulnerable functions, which is the primary indicator of exposure.

Mitigation Strategies

As of the report date, there are no known fixed versions of the vulnerable package.

Immediate mitigation steps include:

  • Avoid using the Backend.Receive and FunctionCall.Decode functions from the pgproto3 subpackage if possible.
  • Review and audit your code for usage of the vulnerable functions and consider alternative implementations or workarounds.
  • Monitor the official package repository and vulnerability announcements for patches or updates.

Additionally, apply general memory safety best practices and consider running your applications with memory sanitizers or other runtime checks to detect potential issues.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33816. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart