{
  "threat_severity" : "Important",
  "public_date" : "2026-03-26T19:40:51Z",
  "bugzilla" : {
    "description" : "github.com/jackc/pgproto3/v2: github.com/jackc/pgproto3/v2: Denial of Service via malicious PostgreSQL server",
    "id" : "2451847",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2451847"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-1285",
  "details" : [ "The DataRow.Decode function fails to properly validate field lengths. A malicious or compromised PostgreSQL server can send a DataRow message with a negative field length, causing a slice bounds out of range panic.", "A flaw was found in the DataRow.Decode function within the github.com/jackc/pgproto3/v2 component. A malicious or compromised PostgreSQL server can exploit this by sending a DataRow message containing a negative field length. This improper validation of field lengths leads to a \"slice bounds out of range panic\", resulting in a Denial of Service (DoS) for the affected application." ],
  "statement" : "The PostgreSQL server multicluster-globalhub-manager connects to is either provisioned by the operator itself or specified by the admin managing the deployment. To successfully exploit the vulnerability in this context the attacker would need to compromise the operator-deployed PostgreSQL server to force a crafted malicious DataRow message or they would need to have the privileges required to modify the operator-provisioned deployment or configure globalhub-manager to use a compromised/malicious “BYO Postgres” server.\nThe first scenario (compromising a legitimate PostgreSQL server) would change Attack Complexity from Low to High resulting in an adjusted CVSS v3.1 score of 5.9 (Moderate)\nThe other scenarios (manipulating the operator provisioned-deployment or configuring the globalhub-manager to use a malicious server) would maintain AC:L but would require privileged access. This would change Privileges Required from None to High resulting in an adjusted CVSS v3.1 score of 4.9 (Moderate)\nBased on the above the Impact Rating for multicluster-globalhub-manager-rhel9 is  Moderate.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "release_date" : "2026-06-02T00:00:00Z",
    "advisory" : "RHSA-2026:22450",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10.2",
    "package" : "osbuild-composer-0:165.1-2.el10_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2026-06-03T00:00:00Z",
    "advisory" : "RHSA-2026:22714",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "osbuild-composer-0:165.1-2.el9_8"
  }, {
    "product_name" : "Multicluster Global Hub 1.3.4",
    "release_date" : "2026-06-02T00:00:00Z",
    "advisory" : "RHSA-2026:22423",
    "cpe" : "cpe:/a:redhat:multicluster_globalhub:1.3::el9",
    "package" : "multicluster-globalhub/multicluster-globalhub-agent-rhel9:1779210675",
    "impact" : "moderate"
  }, {
    "product_name" : "Multicluster Global Hub 1.3.4",
    "release_date" : "2026-06-02T00:00:00Z",
    "advisory" : "RHSA-2026:22423",
    "cpe" : "cpe:/a:redhat:multicluster_globalhub:1.3::el9",
    "package" : "multicluster-globalhub/multicluster-globalhub-manager-rhel9:1779210608",
    "impact" : "moderate"
  }, {
    "product_name" : "Multicluster Global Hub 1.3.4",
    "release_date" : "2026-06-02T00:00:00Z",
    "advisory" : "RHSA-2026:22423",
    "cpe" : "cpe:/a:redhat:multicluster_globalhub:1.3::el9",
    "package" : "multicluster-globalhub/multicluster-globalhub-rhel9-operator:1779209992",
    "impact" : "moderate"
  }, {
    "product_name" : "Multicluster Global Hub 1.4.5",
    "release_date" : "2026-06-01T00:00:00Z",
    "advisory" : "RHSA-2026:22347",
    "cpe" : "cpe:/a:redhat:multicluster_globalhub:1.4::el9",
    "package" : "multicluster-globalhub/multicluster-globalhub-grafana-rhel9:1779579439"
  }, {
    "product_name" : "Multicluster Global Hub 1.5.4",
    "release_date" : "2026-05-28T00:00:00Z",
    "advisory" : "RHSA-2026:21769",
    "cpe" : "cpe:/a:redhat:multicluster_globalhub:1.5::el9",
    "package" : "multicluster-globalhub/multicluster-globalhub-grafana-rhel9:1778867753"
  }, {
    "product_name" : "Multicluster Global Hub 1.6.2",
    "release_date" : "2026-06-04T00:00:00Z",
    "advisory" : "RHSA-2026:23345",
    "cpe" : "cpe:/a:redhat:multicluster_globalhub:1.6::el9",
    "package" : "multicluster-globalhub/multicluster-globalhub-grafana-rhel9:1780167118"
  }, {
    "product_name" : "Red Hat Advanced Cluster Security for Kubernetes 4.8",
    "release_date" : "2026-04-27T00:00:00Z",
    "advisory" : "RHSA-2026:11070",
    "cpe" : "cpe:/a:redhat:advanced_cluster_security:4.8::el8",
    "package" : "advanced-cluster-security/rhacs-main-rhel8:1777307791"
  }, {
    "product_name" : "Red Hat Advanced Cluster Security for Kubernetes 4.8",
    "release_date" : "2026-04-27T00:00:00Z",
    "advisory" : "RHSA-2026:11070",
    "cpe" : "cpe:/a:redhat:advanced_cluster_security:4.8::el8",
    "package" : "advanced-cluster-security/rhacs-scanner-v4-rhel8:1777307791"
  }, {
    "product_name" : "Red Hat Advanced Cluster Security for Kubernetes 4.8",
    "release_date" : "2026-04-27T00:00:00Z",
    "advisory" : "RHSA-2026:11217",
    "cpe" : "cpe:/a:redhat:advanced_cluster_security:4.8::el8",
    "package" : "advanced-cluster-security/rhacs-main-rhel8:1777307791"
  }, {
    "product_name" : "Red Hat Advanced Cluster Security for Kubernetes 4.8",
    "release_date" : "2026-04-27T00:00:00Z",
    "advisory" : "RHSA-2026:11217",
    "cpe" : "cpe:/a:redhat:advanced_cluster_security:4.8::el8",
    "package" : "advanced-cluster-security/rhacs-scanner-v4-rhel8:1777307791"
  }, {
    "product_name" : "Red Hat Quay 3.1",
    "release_date" : "2026-04-29T00:00:00Z",
    "advisory" : "RHSA-2026:11916",
    "cpe" : "cpe:/a:redhat:quay:3.10::el8",
    "package" : "quay/quay-rhel8:1776736910"
  }, {
    "product_name" : "Red Hat Quay 3.12",
    "release_date" : "2026-04-29T00:00:00Z",
    "advisory" : "RHSA-2026:11856",
    "cpe" : "cpe:/a:redhat:quay:3.12::el8",
    "package" : "quay/quay-rhel8:1776752646"
  }, {
    "product_name" : "Red Hat Quay 3.14",
    "release_date" : "2026-05-26T00:00:00Z",
    "advisory" : "RHSA-2026:21017",
    "cpe" : "cpe:/a:redhat:quay:3.14::el8",
    "package" : "quay/quay-rhel8:1779689392"
  }, {
    "product_name" : "Red Hat Quay 3.15",
    "release_date" : "2026-06-09T00:00:00Z",
    "advisory" : "RHSA-2026:24853",
    "cpe" : "cpe:/a:redhat:quay:3.15::el8",
    "package" : "quay/quay-rhel8:1780891395"
  }, {
    "product_name" : "Red Hat Quay 3.16",
    "release_date" : "2026-05-19T00:00:00Z",
    "advisory" : "RHSA-2026:19375",
    "cpe" : "cpe:/a:redhat:quay:3.16::el9",
    "package" : "quay/quay-rhel9:1779204086"
  }, {
    "product_name" : "Red Hat Quay 3.17",
    "release_date" : "2026-06-02T00:00:00Z",
    "advisory" : "RHSA-2026:22465",
    "cpe" : "cpe:/a:redhat:quay:3.17::el9",
    "package" : "quay/quay-rhel9:1779922205"
  }, {
    "product_name" : "Red Hat Quay 3.9",
    "release_date" : "2026-04-30T00:00:00Z",
    "advisory" : "RHSA-2026:11996",
    "cpe" : "cpe:/a:redhat:quay:3.9::el8",
    "package" : "quay/quay-rhel8:1776782369"
  } ],
  "package_state" : [ {
    "product_name" : "Assisted Installer for Red Hat OpenShift Container Platform 2",
    "fix_state" : "Affected",
    "package_name" : "rhai/assisted-installer-controller-rhel9",
    "cpe" : "cpe:/a:redhat:assisted_installer:2"
  }, {
    "product_name" : "Assisted Installer for Red Hat OpenShift Container Platform 2",
    "fix_state" : "Affected",
    "package_name" : "rhai/assisted-installer-rhel9",
    "cpe" : "cpe:/a:redhat:assisted_installer:2"
  }, {
    "product_name" : "Multicluster Engine for Kubernetes",
    "fix_state" : "Affected",
    "package_name" : "multicluster-engine/assisted-installer-agent-rhel8",
    "cpe" : "cpe:/a:redhat:multicluster_engine"
  }, {
    "product_name" : "Multicluster Engine for Kubernetes",
    "fix_state" : "Affected",
    "package_name" : "multicluster-engine/assisted-installer-agent-rhel9",
    "cpe" : "cpe:/a:redhat:multicluster_engine"
  }, {
    "product_name" : "Multicluster Engine for Kubernetes",
    "fix_state" : "Affected",
    "package_name" : "multicluster-engine/assisted-installer-controller-rhel8",
    "cpe" : "cpe:/a:redhat:multicluster_engine"
  }, {
    "product_name" : "Multicluster Engine for Kubernetes",
    "fix_state" : "Affected",
    "package_name" : "multicluster-engine/assisted-installer-controller-rhel9",
    "cpe" : "cpe:/a:redhat:multicluster_engine"
  }, {
    "product_name" : "Multicluster Engine for Kubernetes",
    "fix_state" : "Affected",
    "package_name" : "multicluster-engine/assisted-installer-rhel8",
    "cpe" : "cpe:/a:redhat:multicluster_engine"
  }, {
    "product_name" : "Multicluster Engine for Kubernetes",
    "fix_state" : "Affected",
    "package_name" : "multicluster-engine/assisted-installer-rhel9",
    "cpe" : "cpe:/a:redhat:multicluster_engine"
  }, {
    "product_name" : "Multicluster Engine for Kubernetes",
    "fix_state" : "Affected",
    "package_name" : "multicluster-engine/assisted-service-8-rhel8",
    "cpe" : "cpe:/a:redhat:multicluster_engine"
  }, {
    "product_name" : "Multicluster Engine for Kubernetes",
    "fix_state" : "Affected",
    "package_name" : "multicluster-engine/assisted-service-9-rhel9",
    "cpe" : "cpe:/a:redhat:multicluster_engine"
  }, {
    "product_name" : "Multicluster Engine for Kubernetes",
    "fix_state" : "Affected",
    "package_name" : "multicluster-engine/cluster-api-provider-aws-rhel9",
    "cpe" : "cpe:/a:redhat:multicluster_engine"
  }, {
    "product_name" : "Multicluster Global Hub",
    "fix_state" : "Not affected",
    "package_name" : "multicluster-globalhub/multicluster-globalhub-operator-bundle",
    "cpe" : "cpe:/a:redhat:multicluster_globalhub"
  }, {
    "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2",
    "fix_state" : "Affected",
    "package_name" : "rhacm2/acm-search-indexer-rhel9",
    "cpe" : "cpe:/a:redhat:acm:2"
  }, {
    "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2",
    "fix_state" : "Affected",
    "package_name" : "rhacm2/acm-search-v2-api-rhel9",
    "cpe" : "cpe:/a:redhat:acm:2"
  }, {
    "product_name" : "Red Hat Advanced Cluster Security 4",
    "fix_state" : "Not affected",
    "package_name" : "advanced-cluster-security/rhacs-rhel8-operator",
    "cpe" : "cpe:/a:redhat:advanced_cluster_security:4"
  }, {
    "product_name" : "Red Hat Advanced Cluster Security 4",
    "fix_state" : "Not affected",
    "package_name" : "advanced-cluster-security/rhacs-roxctl-rhel8",
    "cpe" : "cpe:/a:redhat:advanced_cluster_security:4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Will not fix",
    "package_name" : "osbuild-composer",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Hardened Images",
    "fix_state" : "Not affected",
    "package_name" : "golang1.25",
    "cpe" : "cpe:/a:redhat:hummingbird:1"
  }, {
    "product_name" : "Red Hat Hardened Images",
    "fix_state" : "Not affected",
    "package_name" : "golang1.26",
    "cpe" : "cpe:/a:redhat:hummingbird:1"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Affected",
    "package_name" : "rhoai/odh-data-science-pipelines-argo-argoexec-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Affected",
    "package_name" : "rhoai/odh-data-science-pipelines-argo-workflowcontroller-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Not affected",
    "package_name" : "rhoai/odh-model-registry-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "Red Hat OpenShift Cluster Manager CLI",
    "fix_state" : "Affected",
    "package_name" : "ocm-cli-clients/ocm-cli-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_cluster_manager_cli:1"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Not affected",
    "package_name" : "openshift4/oc-mirror-plugin-rhel9",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Not affected",
    "package_name" : "openshift4/ose-agent-installer-api-server-rhel8",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Not affected",
    "package_name" : "openshift4/ose-agent-installer-api-server-rhel9",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Not affected",
    "package_name" : "openshift4/ose-agent-installer-csr-approver-rhel8",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Not affected",
    "package_name" : "openshift4/ose-agent-installer-csr-approver-rhel9",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Not affected",
    "package_name" : "openshift4/ose-agent-installer-node-agent-rhel8",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Not affected",
    "package_name" : "openshift4/ose-agent-installer-node-agent-rhel9",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Not affected",
    "package_name" : "openshift4/ose-agent-installer-orchestrator-rhel8",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Not affected",
    "package_name" : "openshift4/ose-agent-installer-orchestrator-rhel9",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Not affected",
    "package_name" : "openshift4/ose-aws-cluster-api-controllers-rhel9",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Red Hat OpenShift on AWS",
    "fix_state" : "Affected",
    "package_name" : "rosa",
    "cpe" : "cpe:/a:redhat:openshift_service_on_aws:1"
  }, {
    "product_name" : "Red Hat Quay 3",
    "fix_state" : "Will not fix",
    "package_name" : "quay/clair-rhel8",
    "cpe" : "cpe:/a:redhat:quay:3"
  }, {
    "product_name" : "Red Hat Quay 3",
    "fix_state" : "Not affected",
    "package_name" : "quay/clair-rhel9",
    "cpe" : "cpe:/a:redhat:quay:3"
  }, {
    "product_name" : "Red Hat Quay 3",
    "fix_state" : "Affected",
    "package_name" : "quay/quay-operator-rhel8",
    "cpe" : "cpe:/a:redhat:quay:3"
  }, {
    "product_name" : "Red Hat Quay 3",
    "fix_state" : "Affected",
    "package_name" : "quay/quay-operator-rhel9",
    "cpe" : "cpe:/a:redhat:quay:3"
  }, {
    "product_name" : "Red Hat Trusted Artifact Signer",
    "fix_state" : "Not affected",
    "package_name" : "rhtas/createtree-rhel9",
    "cpe" : "cpe:/a:redhat:trusted_artifact_signer:1"
  }, {
    "product_name" : "Red Hat Trusted Artifact Signer",
    "fix_state" : "Not affected",
    "package_name" : "rhtas/trillian-database-rhel9",
    "cpe" : "cpe:/a:redhat:trusted_artifact_signer:1"
  }, {
    "product_name" : "Red Hat Trusted Artifact Signer",
    "fix_state" : "Not affected",
    "package_name" : "rhtas/trillian-logserver-rhel9",
    "cpe" : "cpe:/a:redhat:trusted_artifact_signer:1"
  }, {
    "product_name" : "Red Hat Trusted Artifact Signer",
    "fix_state" : "Not affected",
    "package_name" : "rhtas/trillian-logsigner-rhel9",
    "cpe" : "cpe:/a:redhat:trusted_artifact_signer:1"
  }, {
    "product_name" : "Red Hat Trusted Artifact Signer",
    "fix_state" : "Not affected",
    "package_name" : "rhtas/updatetree-rhel9",
    "cpe" : "cpe:/a:redhat:trusted_artifact_signer:1"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-32286\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-32286\nhttps://github.com/golang/vulndb/issues/4518\nhttps://github.com/jackc/pgx/issues/2507\nhttps://pkg.go.dev/vuln/GO-2026-4518" ],
  "name" : "CVE-2026-32286",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}