Skip to main content

Github Com Jackc Pgx V5 Pgproto3 EUVDEUVD-2026-19707

| CVE-2026-33815 CRITICAL
Out-of-bounds Write (CWE-787)
2026-04-07 Go GHSA-xgrm-4fwx-7qm8
9.8
CVSS 3.1 · Vendor: Go
Share

Severity by source

Vendor (Go) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SUSE
CRITICAL
qualitative
Red Hat
8.3 HIGH
qualitative

Primary rating from Vendor (Go).

CVSS VectorVendor: Go

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Apr 07, 2026 - 16:00 euvd
EUVD-2026-19707
Analysis Generated
Apr 07, 2026 - 16:00 vuln.today
CVE Published
Apr 07, 2026 - 15:19 nvd
CRITICAL 9.8

DescriptionCVE.org

Memory-safety vulnerability in github.com/jackc/pgx/v5.

AnalysisAI

Remote memory-safety vulnerability in github.com/jackc/pgx/v5 (Go PostgreSQL driver) enables unauthenticated attackers to achieve arbitrary code execution, information disclosure, and denial of service via network vectors. The flaw affects the pgproto3 protocol implementation subpackage with critical-severity CVSS 9.8 scoring. EPSS indicates low observed exploitation activity; no public exploit identified at time of analysis. Vulnerability allows complete compromise of confidentiality, integrity, and availability without user interaction or elevated privileges.

Technical ContextAI

Memory-safety defect in pgproto3 protocol implementation layer of pgx PostgreSQL driver for Go. CVSS vector AV:N/AC:L/PR:N/UI:N indicates remotely exploitable memory corruption requiring no authentication or complexity barriers. Vulnerable component handles PostgreSQL wire protocol parsing, creating attack surface in database connection handling. CPE identifies pgproto3 subpackage as affected module.

RemediationAI

Upstream fix available (PR/commit); released patched version not independently confirmed. Consult Go vulnerability database at https://pkg.go.dev/vuln/GO-2026-4771 for remediation guidance and update instructions. Organizations must immediately audit applications using github.com/jackc/pgx/v5/pgproto3 module and monitor vendor repository for versioned release. If patched version unavailable, consider temporarily migrating to alternative PostgreSQL drivers with memory-safe implementations or implement strict network segmentation to limit database connection exposure. Reference EUVD advisory https://nvd.nist.gov/vuln/detail/CVE-2026-33815 for additional vendor communications. Update Go dependency management (go.mod) immediately upon patch availability confirmation.

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Basesystem 15 SP7 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP7 Fixed

Share

EUVD-2026-19707 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy