CVE-2026-6664 Pgbouncer CVE debrief

Who should care

Operators and administrators running PgBouncer in front of PostgreSQL services should prioritize this issue, especially if PgBouncer is reachable over the network and used for SCRAM authentication.

Technical summary

The reported weakness is CWE-190 (integer overflow). In affected PgBouncer versions before 1.25.2, malformed network input during SCRAM authentication can cause packet parsing to overflow an integer, bypass a boundary check, and terminate the process. The impact described in the source material is denial of service via crash; no confidentiality or integrity impact is indicated in the supplied data.

Defensive priority

High. The issue is network-reachable, requires no authentication, and can be triggered remotely to crash the service, creating an immediate availability risk.

Recommended defensive actions

• Upgrade PgBouncer to version 1.25.2 or later.
• Verify which hosts and services expose PgBouncer on the network and reduce exposure where possible.
• Monitor PgBouncer instances for unexpected crashes or repeated authentication-related failures.
• After upgrading, validate that the deployed build is the fixed release and that restart procedures are in place to restore service quickly.

Evidence notes

This debrief is based only on the supplied NVD record and the referenced PgBouncer changelog anchor. The source explicitly states that the issue affects PgBouncer before 1.25.2, that it involves an integer overflow in packet parsing, and that an unauthenticated remote attacker can crash the service using a malformed SCRAM authentication packet. CVSS vector supplied by NVD is AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H.

Official resources