PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-6665 Pgbouncer CVE debrief

CVE-2026-6665 is a high-severity PgBouncer issue in the SCRAM code path. According to the CVE description and PgBouncer changelog reference, versions before 1.25.2 did not correctly check the return value of strlcat() while building the SCRAM client-final-message. A malicious backend that sends a SCRAM server-final-message with a long nonce can trigger a stack overflow.

Vendor
Pgbouncer
Product
Unknown
CVSS
HIGH 8.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-09
Original CVE updated
2026-05-09
Advisory published
2026-05-09
Advisory updated
2026-05-09

Who should care

Administrators and application teams running PgBouncer before 1.25.2, especially environments that use SCRAM authentication or place PgBouncer in front of PostgreSQL backends that may not be fully trusted.

Technical summary

The flaw is a stack-based buffer overflow (CWE-121) in SCRAM message construction. The code path fails to handle strlcat() return values correctly when assembling the client-final-message. NVD lists the issue as network-exploitable with no privileges or user interaction required, but with higher attack complexity. The described trigger is a malicious backend that supplies a long nonce in a SCRAM server-final-message, causing the overflow during client message construction.

Defensive priority

High. The CVSS vector provided by NVD is CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating broad potential impact if the vulnerable code path is reachable. Prioritize remediation for any internet-facing or multi-tenant deployments, or any PgBouncer installation that may interact with untrusted backend peers.

Recommended defensive actions

  • Upgrade PgBouncer to version 1.25.2 or later, as referenced by the official changelog.
  • Inventory all PgBouncer deployments to confirm whether any instance is running a version earlier than 1.25.2.
  • Verify that SCRAM authentication paths are in use and include the vulnerable code path in testing and rollout validation.
  • If immediate upgrading is not possible, reduce exposure by reviewing trust boundaries for backend connections and limiting which systems can reach the PgBouncer backend interface.
  • Document remediation status and re-check package images, containers, and downstream builds that may still include an affected PgBouncer release.

Evidence notes

This debrief is based only on the supplied CVE/NVD corpus and official references. The key evidence is the CVE description stating the affected condition and version boundary, the NVD record with the CVSS vector and CWE-121 classification, and the official PgBouncer changelog reference for the 1.25.x fix line. The CVE publication timestamp used here is 2026-05-09T01:16:09.013Z; that is treated as the disclosure context, not the generation time.

Official resources

Public disclosure is reflected in the CVE record and NVD entry dated 2026-05-09. This summary uses that publication timestamp for context and does not treat any later processing time as the issue date.