logo

Database

Lack of data validation In github.com/jackc/pgproto3/v2

Description

Duplicate Advisory: pgproto3: Negative field length panics in DataRow.Decode

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-jqcq-xjh3-6g23. This link is maintained to preserve external references.

Original Description

A flaw was found in pgproto3. A malicious or compromised PostgreSQL server can exploit this by sending a DataRow message with a negative field length. This input validation vulnerability can lead to a denial of service (DoS) due to a slice bounds out of range panic.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version

Aliases

1. CVE-2026-44272. NVD-2026-44273. OSV-2026-44274. GCVE-2026-44275. ACCESS-CVE-2026-4427

References

1. https://github.com/golang/vulndb/issues/45182. https://github.com/jackc/pgx/issues/25073. https://bugzilla.redhat.com/show_bug.cgi?id=24486264. https://securityinfinity.com/research/memory-safety-vulnerabilities-in-go-postgresql-wire-protocol-parsers-pgproto3-pgx

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.