CVE-2026-6666 Pgbouncer CVE debrief

Who should care

Administrators and operators running PgBouncer before 1.25.2, especially in environments where application or backend server errors are routed through PgBouncer. Service owners who depend on PgBouncer for connection pooling or traffic mediation should treat this as an availability issue.

Technical summary

The vulnerability is described as a possible null pointer reference in PgBouncer before version 1.25.2. It can be triggered when a server sends an error response without an SQLSTATE field, which may lead to a crash. The supplied NVD data maps the weakness to CWE-476 and lists the CVSS vector as network-reachable with high attack complexity and high availability impact, with no confidentiality or integrity impact.

Defensive priority

Medium. This is an availability-impacting issue rather than a code-execution or data-exposure flaw, but it can still disrupt dependent services if PgBouncer is exposed to the triggering condition.

Recommended defensive actions

• Upgrade PgBouncer to 1.25.2 or a later fixed release.
• Review the upstream PgBouncer changelog entry for the 1.25.x line referenced in the advisory.
• Monitor PgBouncer processes for unexpected exits or restarts and verify service supervision is in place.
• If you cannot upgrade immediately, assess whether backend/server error handling paths could be generating responses without SQLSTATE fields and prioritize mitigation through operational controls.

Evidence notes

The source corpus contains an NVD record published on 2026-05-09 with the description that PgBouncer before 1.25.2 may crash if a server sends an error response without SQLSTATE. The NVD metadata also includes CWE-476 and a reference to the PgBouncer changelog for the 1.25.x series. No additional exploitability details, affected deployment scope, or vendor statement were provided in the corpus.

Official resources