Skip to main content

PgBouncer CVE-2026-6664

| EUVDEUVD-2026-28876 HIGH
Integer Overflow or Wraparound (CWE-190)
2026-05-09 PostgreSQL GHSA-pmgp-q838-fh9g
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Patch available
May 09, 2026 - 02:16 EUVD
Analysis Generated
May 09, 2026 - 01:31 vuln.today
CVE Published
May 09, 2026 - 00:43 nvd
HIGH 7.5

DescriptionCVE.org

An integer overflow in network packet parsing code in PgBouncer before 1.25.2 bypasses a boundary check and can lead to a crash. An unauthenticated remote attacker can crash PgBouncer with a malformed SCRAM authentication packet.

AnalysisAI

Remote denial-of-service in PgBouncer versions before 1.25.2 allows unauthenticated attackers to crash the connection pooler by sending a malformed SCRAM authentication packet that triggers an integer overflow in network packet parsing code. The vulnerability bypasses boundary checks in authentication handling, enabling complete service disruption of database connection pooling. EPSS data not available, no confirmed active exploitation (not in CISA KEV), but the unauthenticated remote attack vector (CVSS AV:N/AC:L/PR:N) presents significant risk for internet-exposed PostgreSQL infrastructure.

Technical ContextAI

PgBouncer is a lightweight connection pooler for PostgreSQL databases that manages client connections and reduces database overhead. The vulnerability resides in SCRAM (Salted Challenge Response Authentication Mechanism) authentication packet parsing logic, specifically in integer handling during network packet boundary validation. CWE-190 (Integer Overflow or Wraparound) occurs when arithmetic operations on packet size or offset values exceed maximum representable values, causing the result to wrap around to small or negative numbers. This wraparound bypasses subsequent boundary checks that rely on the overflowed value, allowing malformed packet data to trigger memory access violations or assertion failures that crash the pooler process. SCRAM is PostgreSQL's modern authentication method (SCRAM-SHA-256), making this a core protocol handling issue affecting any PgBouncer deployment using SCRAM authentication.

RemediationAI

Upgrade PgBouncer to version 1.25.2 or later, which includes the integer overflow fix in SCRAM authentication packet parsing. The official fix is documented in the PgBouncer changelog at https://www.pgbouncer.org/changelog.html#pgbouncer-125x. For environments where immediate patching is not feasible, implement network-level access controls to restrict PgBouncer port access (default TCP 6432) to only trusted application servers and database clients-this reduces but does not eliminate risk if internal attackers or compromised application servers exist. Disabling SCRAM authentication and reverting to MD5 is NOT recommended due to MD5's cryptographic weaknesses; this trades a DoS vulnerability for authentication security degradation. Monitor PgBouncer process restarts and connection failures as potential exploitation indicators. Test the upgrade in non-production environments first, as connection pooler changes can affect application connection handling, particularly around authentication handshake timing and connection reuse behavior.

CVE-2015-4054 HIGH POC
7.5 May 23

PgBouncer before 1.5.5 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) by send

CVE-2021-3672 MEDIUM POC
5.6 Nov 23

A flaw was found in c-ares library, where a missing input validation check of host names returned by DNS (Domain Name Se

CVE-2015-6817 HIGH
8.1 May 23

PgBouncer 1.6.x before 1.6.1, when configured with auth_user, allows remote attackers to gain login access as auth_user

CVE-2025-2291 HIGH
8.1 Apr 16

Password can be used past expiry in PgBouncer due to auth_query not taking into account Postgres its VALID UNTIL value,

CVE-2026-6665 HIGH
8.1 May 09

Stack overflow in PgBouncer before 1.25.2 enables malicious PostgreSQL backend servers to trigger remote code execution

CVE-2021-3935 HIGH
8.1 Nov 22

When PgBouncer is configured to use "cert" authentication, a man-in-the-middle attacker can inject arbitrary SQL queries

CVE-2025-12819 HIGH
7.5 Dec 03

Untrusted search path in auth_query connection handler in PgBouncer before 1.25.1 allows an unauthenticated attacker to

CVE-2026-6666 MEDIUM
5.9 May 09

PgBouncer before version 1.25.2 crashes when a backend PostgreSQL server sends an error response lacking an SQLSTATE fie

CVE-2012-4575 MEDIUM
5.0 Nov 18

The add_database function in objects.c in the pgbouncer pooler 1.5.2 for PostgreSQL allows remote attackers to cause a d

CVE-2026-6667 MEDIUM
4.3 May 09

PgBouncer before version 1.25.2 fails to properly restrict the KILL_CLIENT admin command to authorized users, allowing a

Share

CVE-2026-6664 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy