Skip to main content

PgBouncer CVE-2026-6665

| EUVDEUVD-2026-28877 HIGH
Stack-based Buffer Overflow (CWE-121)
2026-05-09 PostgreSQL GHSA-mhmx-mjv6-w337
8.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.1 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch available
May 09, 2026 - 02:16 EUVD
Analysis Generated
May 09, 2026 - 01:31 vuln.today
CVE Published
May 09, 2026 - 00:43 nvd
HIGH 8.1

DescriptionCVE.org

The SCRAM code in PgBouncer before 1.25.2 did not check the return value of strlcat() correctly when building the contents of the SCRAM client-final-message. A malicious backend that sends a SCRAM server-final-message with a long nonce can trigger a stack overflow.

AnalysisAI

Stack overflow in PgBouncer before 1.25.2 enables malicious PostgreSQL backend servers to trigger remote code execution via SCRAM authentication nonce manipulation. The flaw stems from incorrect strlcat() return value checking during SCRAM client-final-message construction. Remote unauthenticated exploitation is possible (CVSS 8.1, AV:N/PR:N) but requires high attack complexity - specifically, the attacker must control or compromise the backend PostgreSQL server PgBouncer connects to. No public exploit identified at time of analysis; EPSS and KEV data not available in this assessment.

Technical ContextAI

PgBouncer is a lightweight PostgreSQL connection pooler. The vulnerability affects the SCRAM (Salted Challenge Response Authentication Mechanism) implementation, which PgBouncer uses for secure authentication with PostgreSQL backends. CWE-121 indicates a stack-based buffer overflow. The strlcat() function returns the total length of the string it tried to create, not just the number of characters appended. The SCRAM code failed to validate this return value correctly when concatenating components of the client-final-message. When a malicious backend sends a server-final-message containing an abnormally long nonce value, the unchecked strlcat() can overflow the stack buffer allocated for message construction. CPE string (cpe:2.3:a:n/a:pgbouncer:*:*:*:*:*:*:*:*) indicates all PgBouncer versions before 1.25.2 are affected. This is a server-side vulnerability in the connection pooler's authentication handshake logic, not in PostgreSQL itself.

RemediationAI

Upgrade PgBouncer to version 1.25.2 or later, which correctly validates strlcat() return values in SCRAM authentication code. Download from official PgBouncer releases and review the changelog at https://www.pgbouncer.org/changelog.html#pgbouncer-125x for upgrade procedures. If immediate patching is not feasible, implement network segmentation to ensure PgBouncer only connects to trusted, hardened PostgreSQL backend servers - specifically, place backends in isolated VLANs with strict ingress controls to prevent compromise. Disable SCRAM authentication and use legacy md5 or trust methods ONLY if backend servers are in a fully trusted security zone (this degrades authentication security and should be temporary). Monitor PgBouncer logs for authentication anomalies or unexpected server-final-message patterns during SCRAM handshakes. Note that authentication downgrade introduces password transmission risks and should only be used with encrypted connections (TLS) to backends.

CVE-2015-4054 HIGH POC
7.5 May 23

PgBouncer before 1.5.5 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) by send

CVE-2021-3672 MEDIUM POC
5.6 Nov 23

A flaw was found in c-ares library, where a missing input validation check of host names returned by DNS (Domain Name Se

CVE-2015-6817 HIGH
8.1 May 23

PgBouncer 1.6.x before 1.6.1, when configured with auth_user, allows remote attackers to gain login access as auth_user

CVE-2025-2291 HIGH
8.1 Apr 16

Password can be used past expiry in PgBouncer due to auth_query not taking into account Postgres its VALID UNTIL value,

CVE-2021-3935 HIGH
8.1 Nov 22

When PgBouncer is configured to use "cert" authentication, a man-in-the-middle attacker can inject arbitrary SQL queries

CVE-2025-12819 HIGH
7.5 Dec 03

Untrusted search path in auth_query connection handler in PgBouncer before 1.25.1 allows an unauthenticated attacker to

CVE-2026-6664 HIGH
7.5 May 09

Remote denial-of-service in PgBouncer versions before 1.25.2 allows unauthenticated attackers to crash the connection po

CVE-2026-6666 MEDIUM
5.9 May 09

PgBouncer before version 1.25.2 crashes when a backend PostgreSQL server sends an error response lacking an SQLSTATE fie

CVE-2012-4575 MEDIUM
5.0 Nov 18

The add_database function in objects.c in the pgbouncer pooler 1.5.2 for PostgreSQL allows remote attackers to cause a d

CVE-2026-6667 MEDIUM
4.3 May 09

PgBouncer before version 1.25.2 fails to properly restrict the KILL_CLIENT admin command to authorized users, allowing a

Share

CVE-2026-6665 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy