Skip to main content

Github Com Jackc Pgx V5 Pgproto3 CVE-2026-33816

| EUVDEUVD-2026-19709 CRITICAL
Out-of-bounds Write (CWE-787)
2026-04-07 Go GHSA-9jj7-4m8r-rfcm
9.8
CVSS 3.1 · Vendor: Go
Share

Severity by source

Vendor (Go) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SUSE
CRITICAL
qualitative
Red Hat
8.3 HIGH
qualitative

Primary rating from Vendor (Go).

CVSS VectorVendor: Go

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Apr 07, 2026 - 16:00 euvd
EUVD-2026-19709
Analysis Generated
Apr 07, 2026 - 16:00 vuln.today
CVE Published
Apr 07, 2026 - 15:19 nvd
CRITICAL 9.8

DescriptionCVE.org

Memory-safety vulnerability in github.com/jackc/pgx/v5.

AnalysisAI

Memory-safety vulnerability in github.com/jackc/pgx/v5 PostgreSQL driver library allows unauthenticated remote attackers to achieve complete system compromise with high confidentiality, integrity, and availability impact. The vulnerability resides in the pgproto3 subpackage and enables network-accessible exploitation without user interaction. Attack complexity is low, requiring no special privileges. Information disclosure confirmed via source tagging. No public exploit identified at time of analysis.

Technical ContextAI

Memory-safety flaw in pgproto3 protocol implementation component of pgx v5 PostgreSQL driver. Root cause mechanism involves unsafe memory operations during protocol message handling. Network-reachable attack vector (AV:N) with low complexity suggests exploitable condition in packet parsing or buffer management routines.

RemediationAI

Upstream fix available via Go vulnerability database (https://pkg.go.dev/vuln/GO-2026-4772); released patched version not independently confirmed at time of analysis. Consult official Go advisory for exact fixed version and update github.com/jackc/pgx/v5 dependency immediately using 'go get -u' or module version pinning. If patched release unavailable, temporarily remove pgx v5 dependency or isolate affected services from untrusted networks until vendor confirmation. Monitor https://nvd.nist.gov/vuln/detail/CVE-2026-33816 for patch release announcements. EPSS score indicates low observed exploitation activity currently.

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Basesystem 15 SP7 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP7 Fixed

Share

CVE-2026-33816 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy