Skip to main content

PgBouncer EUVDEUVD-2026-28878

| CVE-2026-6666 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-05-09 PostgreSQL GHSA-4463-8rvf-rj9f
5.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.9 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Patch available
May 09, 2026 - 02:16 EUVD
Analysis Generated
May 09, 2026 - 01:32 vuln.today
CVE Published
May 09, 2026 - 00:43 nvd
MEDIUM 5.9

DescriptionCVE.org

A possible null pointer reference in PgBouncer before 1.25.2 could lead to a crash, if a server sends an error response without SQLSTATE field.

AnalysisAI

PgBouncer before version 1.25.2 crashes when a backend PostgreSQL server sends an error response lacking an SQLSTATE field, enabling denial of service against connection pooling infrastructure. The vulnerability requires an attacker to control or compromise a PostgreSQL backend server or intercept server responses on the network, making exploitation conditional on non-default network topology or server compromise. CVSS score of 5.9 reflects high availability impact but limited attack surface due to medium complexity (AC:H).

Technical ContextAI

PgBouncer is a lightweight connection pooler for PostgreSQL that sits between clients and database servers, managing connection multiplexing and authentication. The vulnerability stems from a null pointer dereference (CWE-476) in the error response parsing logic. When PgBouncer receives an error message from a PostgreSQL backend server, it expects the response to include an SQLSTATE field (a standardized 5-character error code per PostgreSQL protocol). If a server sends a malformed error response omitting this field, the code attempts to dereference a null pointer, triggering a segmentation fault and crashing the entire pooler process. This affects all clients connected through that PgBouncer instance, creating a denial of service condition for database access.

RemediationAI

Upgrade PgBouncer to version 1.25.2 or later immediately. The vendor-released patch addresses the null pointer dereference by adding proper validation of the SQLSTATE field in error responses before dereferencing it. If immediate upgrade is not feasible, implement network-level mitigations: restrict network access to PgBouncer backend connections to trusted PostgreSQL servers only, use firewall rules to prevent untrusted hosts from sending responses to the pooler, and monitor PostgreSQL servers for compromise or misconfiguration that could generate malformed error responses. Additionally, implement monitoring and alerting for unexpected PgBouncer process crashes, which may indicate exploitation attempts. These compensating controls do not eliminate the vulnerability but reduce the attack surface by limiting which entities can trigger the crash condition.

CVE-2015-4054 HIGH POC
7.5 May 23

PgBouncer before 1.5.5 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) by send

CVE-2021-3672 MEDIUM POC
5.6 Nov 23

A flaw was found in c-ares library, where a missing input validation check of host names returned by DNS (Domain Name Se

CVE-2015-6817 HIGH
8.1 May 23

PgBouncer 1.6.x before 1.6.1, when configured with auth_user, allows remote attackers to gain login access as auth_user

CVE-2025-2291 HIGH
8.1 Apr 16

Password can be used past expiry in PgBouncer due to auth_query not taking into account Postgres its VALID UNTIL value,

CVE-2026-6665 HIGH
8.1 May 09

Stack overflow in PgBouncer before 1.25.2 enables malicious PostgreSQL backend servers to trigger remote code execution

CVE-2021-3935 HIGH
8.1 Nov 22

When PgBouncer is configured to use "cert" authentication, a man-in-the-middle attacker can inject arbitrary SQL queries

CVE-2025-12819 HIGH
7.5 Dec 03

Untrusted search path in auth_query connection handler in PgBouncer before 1.25.1 allows an unauthenticated attacker to

CVE-2026-6664 HIGH
7.5 May 09

Remote denial-of-service in PgBouncer versions before 1.25.2 allows unauthenticated attackers to crash the connection po

CVE-2012-4575 MEDIUM
5.0 Nov 18

The add_database function in objects.c in the pgbouncer pooler 1.5.2 for PostgreSQL allows remote attackers to cause a d

CVE-2026-6667 MEDIUM
4.3 May 09

PgBouncer before version 1.25.2 fails to properly restrict the KILL_CLIENT admin command to authorized users, allowing a

Share

EUVD-2026-28878 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy