CVE-2026-33816
Analyzed Analyzed - Analysis Complete
Memory Safety Vulnerability in github.com/jackc/pgx/v5 Library

Publication date: 2026-04-07

Last updated on: 2026-05-21

Assigner: Go Project

Description
Memory-safety vulnerability in github.com/jackc/pgx/v5.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-07
Last Modified
2026-05-21
Generated
2026-06-16
AI Q&A
2026-04-07
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33816
EUVD
EUVD-2026-19709
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
jackc pgx to 5.9.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The CVE-2026-33816 vulnerability is a memory-safety issue affecting the Go package github.com/jackc/pgx/v5, specifically within all versions of the pgproto3 subpackage.

It occurs in the Backend.Receive and FunctionCall.Decode functions.

This vulnerability could potentially lead to memory corruption or related security risks when these functions are used.

Compliance Impact

The provided information does not specify any direct impact of the CVE-2026-33816 memory-safety vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Impact Analysis

This memory-safety vulnerability could lead to memory corruption or other related security risks.

Such issues might cause unexpected behavior, crashes, or potentially allow an attacker to exploit the system using these functions.

Detection Guidance

The vulnerability affects the Go package github.com/jackc/pgx/v5, specifically the pgproto3 subpackage's Backend.Receive and FunctionCall.Decode functions. Detection would involve identifying usage of these functions within your applications.

Since this is a memory-safety issue in specific Go package functions, detection on a network or system level is not straightforward through network commands.

You can check your Go modules for the presence of the vulnerable package by running commands like:

  • go list -m all | grep github.com/jackc/pgx/v5
  • grep -r 'Backend.Receive' ./path/to/your/project
  • grep -r 'FunctionCall.Decode' ./path/to/your/project

These commands help identify if your codebase uses the vulnerable functions, which is the primary indicator of exposure.

Mitigation Strategies

As of the report date, there are no known fixed versions of the vulnerable package.

Immediate mitigation steps include:

  • Avoid using the Backend.Receive and FunctionCall.Decode functions from the pgproto3 subpackage if possible.
  • Review and audit your code for usage of the vulnerable functions and consider alternative implementations or workarounds.
  • Monitor the official package repository and vulnerability announcements for patches or updates.

Additionally, apply general memory safety best practices and consider running your applications with memory sanitizers or other runtime checks to detect potential issues.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33816. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart