{ "dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": { "cveId": "CVE-2026-33816", "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "state": "PUBLISHED", "assignerShortName": "Go", "dateReserved": "2026-03-23T20:35:32.814Z", "datePublished": "2026-04-07T15:19:24.529Z", "dateUpdated": "2026-07-09T12:10:01.070Z" }, "containers": { "cna": { "providerMetadata": { "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "shortName": "Go", "dateUpdated": "2026-04-15T15:49:13.116Z" }, "title": "CVE-2026-33816 in github.com/jackc/pgx", "descriptions": [ { "lang": "en", "value": "Memory-safety vulnerability in github.com/jackc/pgx/v5." } ], "affected": [ { "vendor": "github.com/jackc/pgx/v5", "product": "github.com/jackc/pgx/v5/pgproto3", "collectionURL": "https://pkg.go.dev", "packageName": "github.com/jackc/pgx/v5/pgproto3", "versions": [ { "version": "0", "lessThan": "5.9.0", "status": "affected", "versionType": "semver" } ], "programRoutines": [ { "name": "FunctionCall.Decode" }, { "name": "Backend.Receive" } ], "defaultStatus": "unaffected" } ], "problemTypes": [ { "descriptions": [ { "lang": "en", "description": "CWE-697 — Incorrect Comparison" } ] } ], "references": [ { "url": "https://pkg.go.dev/vuln/GO-2026-4772" } ] }, "adp": [ { "metrics": [ { "cvssV3_1": { "scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH" } }, { "other": { "type": "ssvc", "content": { "timestamp": "2026-04-09T14:24:50.570972Z", "id": "CVE-2026-33816", "options": [ { "Exploitation": "none" }, { "Automatable": "yes" }, { "Technical Impact": "total" } ], "role": "CISA Coordinator", "version": "2.0.3" } } } ], "title": "CISA ADP Vulnrichment", "providerMetadata": { "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-14T16:04:30.991Z" } }, { "affected": [ { "cpes": [ "cpe:/a:redhat:cryostat:4::el9" ], "defaultStatus": "affected", "product": "Cryostat 4 on RHEL 9", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:edge_manager:1.0::el9" ], "defaultStatus": "affected", "product": "RHEM 1.0 for RHEL 9", "vendor": "Red Hat" }, { "cpes": [ "cpe:/o:redhat:enterprise_linux:10.2" ], "defaultStatus": "affected", "product": "Red Hat Enterprise Linux AppStream (v. 10)", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:openshift_custom_metrics_autoscaler:2.19::el9" ], "defaultStatus": "affected", "product": "Custom Metric Autoscaler 2.19", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:multicluster_globalhub:1.3::el9" ], "defaultStatus": "affected", "product": "Multicluster Global Hub 1.3.4", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:multicluster_globalhub:1.7::el9" ], "defaultStatus": "affected", "product": "Multicluster Global Hub 1.7.1", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:acm:2.15::el9" ], "defaultStatus": "affected", "product": "Red Hat Advanced Cluster Management for Kubernetes 2.15", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:acm:2.16::el9" ], "defaultStatus": "affected", "product": "Red Hat Advanced Cluster Management for Kubernetes 2.16", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:advanced_cluster_security:4.10::el8" ], "defaultStatus": "affected", "product": "Red Hat Advanced Cluster Security for Kubernetes 4.10", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:advanced_cluster_security:4.8::el8" ], "defaultStatus": "affected", "product": "Red Hat Advanced Cluster Security for Kubernetes 4.8", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:advanced_cluster_security:4.9::el8" ], "defaultStatus": "affected", "product": "Red Hat Advanced Cluster Security for Kubernetes 4.9", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:hummingbird:1" ], "defaultStatus": "affected", "product": "Red Hat Hardened Images", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:openshift_pipelines:1.21::el9" ], "defaultStatus": "affected", "product": "Red Hat OpenShift Pipelines 1.21", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:trusted_artifact_signer:1.3::el9" ], "defaultStatus": "affected", "product": "Red Hat Trusted Artifact Signer 1.3", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:openshift_custom_metrics_autoscaler:2" ], "defaultStatus": "affected", "product": "Custom Metric Autoscaler operator for Red Hat Openshift", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:multicluster_engine" ], "defaultStatus": "affected", "product": "Multicluster Engine for Kubernetes", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:multicluster_globalhub" ], "defaultStatus": "affected", "product": "Multicluster Global Hub", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:red_hat_3scale_amp:2" ], "defaultStatus": "affected", "product": "Red Hat 3scale API Management Platform 2", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:advanced_cluster_security:4" ], "defaultStatus": "affected", "product": "Red Hat Advanced Cluster Security 4", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:edge_manager:1" ], "defaultStatus": "affected", "product": "Red Hat Edge Manager 1", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:openshift_ai" ], "defaultStatus": "affected", "product": "Red Hat OpenShift AI (RHOAI)", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:openshift_data_foundation:4" ], "defaultStatus": "affected", "product": "Red Hat Openshift Data Foundation 4", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:trusted_artifact_signer:1" ], "defaultStatus": "affected", "product": "Red Hat Trusted Artifact Signer", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:zero_trust_workload_identity_manager:0" ], "defaultStatus": "affected", "product": "Zero Trust Workload Identity Manager - Tech Preview", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:quay:3" ], "defaultStatus": "unaffected", "product": "Red Hat Quay 3", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:zero_trust_workload_identity_manager:1" ], "defaultStatus": "unaffected", "product": "Zero Trust Workload Identity Manager", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:openshift_pipelines:1" ], "defaultStatus": "unknown", "product": "OpenShift Pipelines", "vendor": "Red Hat" } ], "datePublic": "2026-04-07T15:19:24.529Z", "descriptions": [ { "lang": "en", "value": "A flaw was found in github.com/jackc/pgx, a PostgreSQL driver for Go. This memory-safety vulnerability could allow an attacker to cause various impacts, such as denial of service (DoS) or potentially arbitrary code execution, by exploiting memory corruption issues. The exact method of exploitation and specific consequences would depend on the nature of the memory corruption." } ], "metrics": [ { "other": { "content": { "namespace": "https://access.redhat.com/security/updates/classification/", "value": "Important" }, "type": "Red Hat severity rating" } }, { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L", "version": "3.1" }, "format": "CVSS" } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-787", "description": "Out-of-bounds Write", "lang": "en", "type": "CWE" } ] } ], "references": [ { "tags": [ "vdb-entry", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/security/cve/CVE-2026-33816" }, { "name": "RHBZ#2455972", "tags": [ "issue-tracking", "x_refsource_REDHAT" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455972" }, { "tags": [ "x_sadp-csaf-vex" ], "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-33816.json" }, { "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2026:17789" }, { "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2026:36796" }, { "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2026:19137" }, { "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2026:26636" }, { "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2026:22423" }, { "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2026:24503" }, { "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2026:24539" }, { "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2026:25273" }, { "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2026:13829" }, { "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2026:11070" }, { "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2026:11217" }, { "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2026:13791" }, { "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2026:13907" }, { "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2026:26519" }, { "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2026:24479" }, { "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2026:24475" }, { "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2026:24482" } ], "solutions": [ { "lang": "en", "value": "RHSA-2026:17789: Cryostat 4 on RHEL 9" }, { "lang": "en", "value": "RHSA-2026:36796: RHEM 1.0 for RHEL 9" }, { "lang": "en", "value": "RHSA-2026:19137: Red Hat Enterprise Linux AppStream (v. 10)" }, { "lang": "en", "value": "RHSA-2026:26636: Custom Metric Autoscaler 2.19" }, { "lang": "en", "value": "RHSA-2026:22423: Multicluster Global Hub 1.3.4" }, { "lang": "en", "value": "RHSA-2026:24503: Multicluster Global Hub 1.7.1" }, { "lang": "en", "value": "RHSA-2026:24539: Red Hat Advanced Cluster Management for Kubernetes 2.15" }, { "lang": "en", "value": "RHSA-2026:25273: Red Hat Advanced Cluster Management for Kubernetes 2.16" }, { "lang": "en", "value": "RHSA-2026:13829: Red Hat Advanced Cluster Security for Kubernetes 4.10" }, { "lang": "en", "value": "RHSA-2026:11070: Red Hat Advanced Cluster Security for Kubernetes 4.8" }, { "lang": "en", "value": "RHSA-2026:11217: Red Hat Advanced Cluster Security for Kubernetes 4.8" }, { "lang": "en", "value": "RHSA-2026:13791: Red Hat Advanced Cluster Security for Kubernetes 4.9" }, { "lang": "en", "value": "RHSA-2026:13907: Red Hat Hardened Images" }, { "lang": "en", "value": "RHSA-2026:26519: Red Hat OpenShift Pipelines 1.21" }, { "lang": "en", "value": "RHSA-2026:24479: Red Hat Trusted Artifact Signer 1.3" }, { "lang": "en", "value": "RHSA-2026:24475: Red Hat Trusted Artifact Signer 1.3" }, { "lang": "en", "value": "RHSA-2026:24482: Red Hat Trusted Artifact Signer 1.3" } ], "timeline": [ { "lang": "en", "time": "2026-04-07T16:01:14.142Z", "value": "Reported to Red Hat." }, { "lang": "en", "time": "2026-04-07T15:19:24.529Z", "value": "Made public." } ], "title": "github.com/jackc/pgx/v5: github.com/jackc/pgx: Memory-safety vulnerability", "workarounds": [ { "lang": "en", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability." } ], "x_adpType": "supplier", "x_generator": { "engine": "sadp-cli 1.0.0" }, "providerMetadata": { "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c", "shortName": "redhat-SADP", "dateUpdated": "2026-07-09T12:10:01.070Z" } } ] } }