QSearchQSearch

CVE-2026-32286

7.5 HIGH

The DataRow.Decode function fails to properly validate field lengths

Published: 2026-03-26 · Last updated: 2026-06-03

Severity and scoring

CVSS
7.5 HIGH
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE
CWE-129

Affected products

VendorProduct
jackcpgproto3

Description

The DataRow.Decode function fails to properly validate field lengths. A malicious or compromised PostgreSQL server can send a DataRow message with a negative field length, causing a slice bounds out of range panic.

Source: NVD

References

Related CVEs

Same vendor

  • CVE-2026-41889 pgx is a PostgreSQL driver and toolkit for Go (9.8 CRITICAL)
  • CVE-2026-33816 Memory-safety vulnerability in github.com/jackc/pgx/v5 (9.8 CRITICAL)
  • CVE-2026-33815 Memory-safety vulnerability in github.com/jackc/pgx/v5 (9.8 CRITICAL)
  • CVE-2024-27304 pgx is a PostgreSQL driver and toolkit for Go (9.8 CRITICAL)
  • CVE-2024-27289 pgx is a PostgreSQL driver and toolkit for Go (8.1 HIGH)

Same CWE

  • CVE-2026-45624 ImageMagick is free and open-source software used for editing and manipulating digital images (5.1 MEDIUM)
  • CVE-2026-45359 ImageMagick is free and open-source software used for editing and manipulating digital images (5.7 MEDIUM)
  • CVE-2026-24181 NVIDIA DALI contains a vulnerability in a component where an attacker could cause an improper index validation (7.3 HIGH)
  • CVE-2026-25276 Memory corruption while using Strongbox due to missing bounds check (8.8 HIGH)
  • CVE-2026-46163 In the Linux kernel, the following vulnerability has been resolved: wifi: b43legacy: enforce bounds check on firmware key index in RX pa... (7.8 HIGH)