Fluid Attacks Database

Description

The DataRow.Decode function fails to properly validate field lengths. A malicious or compromised PostgreSQL server can send a DataRow message with a negative field length, causing a slice bounds out of range panic.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
rpm rhel10	osbuild-composer	<0:165.1-2.el10_2	0:165.1-2.el10_2
rpm rhel9	osbuild-composer	<0:165.1-2.el9_8	0:165.1-2.el9_8
debian 14	golang-github-jackc-pgproto3	=2.3.2-1 \|\| =2.3.3-1 \|\| =2.3.3-1~exp0 \|\| >=0 <2.3.3-2	2.3.3-2
go	github.com/jackc/pgproto3/v2	>=2.0.0 <=2.3.3	-
debian 12	golang-github-jackc-pgproto3	=2.2.0-2 \|\| =2.3.2-1 \|\| =2.3.3-1 \|\| =2.3.3-1~exp0 \|\| =2.3.3-2	-
debian 13	golang-github-jackc-pgproto3	=2.3.2-1 \|\| =2.3.3-1 \|\| =2.3.3-1~exp0 \|\| =2.3.3-2	-
rpm rhel8	osbuild-composer	-	-

Aliases

1. CVE-2026-322862. NVD-2026-322863. OSV-2026-322864. OSV-DEBIAN-2026-322865. GCVE-2026-322866. SECURITY-TRACKER-CVE-2026-32286

References

1. https://github.com/moisei-dev/go-dbmigrate2. https://github.com/golang/vulndb/issues/45183. https://github.com/jackc/pgx/issues/25074. https://bugzilla.redhat.com/show_bug.cgi?id=24486265. https://pkg.go.dev/vuln/GO-2026-45186. https://securityinfinity.com/research/memory-safety-vulnerabilities-in-go-postgresql-wire-protocol-parsers-pgproto3-pgx

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.