External risk intelligence

jackc/pgx database library could allow external attacker to cause service outages

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-33815

An external attacker can send malicious data to applications using the jackc/pgx database library to trigger system crashes. This can result in persistent service outages, taking down critical business functions by disabling database connectivity.

1Halo Surface Signal

Jackc Pgx

External exposure likelihood

Halo Surface Signal score for CVE-2026-33815

The pgx package is a Go library for communicating with PostgreSQL databases. The database protocol parser operates over private database connections between the Go application and the database server. This communication occurs within isolated internal networks, and the PostgreSQL wire protocol is not directly exposed to the public internet in standard deployments.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

This is a memory-safety vulnerability in the `pgx` Go library, which is used for interacting with PostgreSQL databases. This issue could allow for significant compromise if exploited.

  • Allows attackers to execute code.
  • Impacts applications using the library.
  • High severity could lead to full system takeover.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this memory-safety vulnerability in the `pgx` Go library to achieve remote code execution. This would involve sending specially crafted data to a Go application that uses the vulnerable `pgx` library to communicate with a PostgreSQL database. The application would then process this malicious data, triggering the vulnerability and allowing the attacker to execute arbitrary code on the server hosting the application.

  • Target vulnerable Go applications.
  • Abuse database protocol parsing.
  • Requires network access to the application.

Live Threat

Current exploitation, exposure, and threat context

This critical memory-safety vulnerability in the `pgx` Go library is unlikely to be weaponized for widespread exploitation. The library's primary function involves communication over private database connections, which are typically not exposed to the public internet. Attackers generally prefer vulnerabilities in internet-facing services for broader impact.

  • Exploitation requires direct access to the database connection.
  • No public exploit code is currently observed.
  • The vulnerability is not listed on KEV.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize patching or upgrading the `github.com/jackc/pgx/v5` Go library immediately due to its critical memory-safety vulnerability. Given the high CVSS score and potential for remote code execution, assess all services using this library and implement strict network segmentation if immediate patching is not feasible.

  • Update `pgx/v5` to a fixed version.
  • Isolate affected services from untrusted networks.
  • Monitor for signs of exploitation or unusual database activity.

Frequently asked questions

What is jackc/pgx and what is it used for?

The `jackc/pgx` package is a popular Go library for interacting with PostgreSQL databases. Developers use it to build applications that need to connect to, query, and manage data within PostgreSQL. It handles the communication between a Go application and the database server.

How does CVE-2026-33815 affect the pgx library?

CVE-2026-33815 is a critical memory-safety vulnerability within the `pgx` library. This type of weakness means the software doesn't properly manage memory, potentially allowing attackers to influence program execution or cause it to crash.

What are the preconditions for exploiting CVE-2026-33815?

An attacker needs network access to a Go application that uses the vulnerable `pgx` library. They would then send specially crafted data that abuses the database protocol parsing, triggering the vulnerability. The bug is not triggered by simply connecting to the database or by normal database operations.

Who needs to care about this CVE, based on Halo Surface Signal?

Organizations running Go applications that communicate with PostgreSQL databases using the `pgx` library should be aware of this vulnerability. The Halo Surface Signal indicates this is unlikely to be exploited externally because the database connections are typically internal and not directly internet-facing.

What is the first step to address this vulnerability?

The immediate first step is to upgrade the `github.com/jackc/pgx/v5` Go library to a version that has addressed this memory-safety vulnerability. If immediate patching isn't possible, isolating the affected services from untrusted networks is a crucial interim measure.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified