{"id":"GO-2026-4518","summary":"Denial of service in github.com/jackc/pgproto3/v2","details":"The DataRow.Decode function fails to properly validate field lengths. A malicious or compromised PostgreSQL server can send a DataRow message with a negative field length, causing a slice bounds out of range panic.","aliases":["CVE-2026-32286","GHSA-jqcq-xjh3-6g23"],"modified":"2026-04-02T21:19:57.026952Z","published":"2026-03-16T20:27:13Z","related":["CGA-722j-m72r-cchj"],"database_specific":{"review_status":"REVIEWED","url":"https://pkg.go.dev/vuln/GO-2026-4518"},"references":[{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-jqcq-xjh3-6g23"},{"type":"REPORT","url":"https://github.com/jackc/pgx/issues/2507"},{"type":"REPORT","url":"https://github.com/golang/vulndb/issues/4518"}],"affected":[{"package":{"name":"github.com/jackc/pgproto3/v2","ecosystem":"Go","purl":"pkg:golang/github.com/jackc/pgproto3/v2"},"ranges":[{"type":"SEMVER","events":[{"introduced":"2.0.0"}]}],"ecosystem_specific":{"imports":[{"path":"github.com/jackc/pgproto3/v2","symbols":["DataRow.Decode","Frontend.Receive"]}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2026-4518.json"}}],"schema_version":"1.7.5"}