Pgbouncer CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

HIGH Pgbouncer CVE published 2026-05-09

CVE-2026-6665

CVE-2026-6665 is a high-severity PgBouncer issue in the SCRAM code path. According to the CVE description and PgBouncer changelog reference, versions before 1.25.2 did not correctly check the return value of strlcat() while building the SCRAM client-final-message. A malicious backend that sends a SCRAM server-final-message with a long nonce can trigger a stack overflow.

HIGH Pgbouncer CVE published 2026-05-09

CVE-2026-6664

CVE-2026-6664 is a high-severity availability issue in PgBouncer before 1.25.2. According to the NVD entry and the vendor changelog reference, an integer overflow in network packet parsing can bypass a boundary check, and an unauthenticated remote attacker can crash PgBouncer by sending a malformed SCRAM authentication packet.