CVE-2026-6665

PgBouncer · PgBouncer

A stack-based buffer overflow exists in the SCRAM authentication code of PgBouncer, potentially allowing for remote code execution.

Executive summary

A stack-based buffer overflow in the PgBouncer SCRAM authentication mechanism presents a risk of remote code execution or service disruption.

Vulnerability

This is a stack-based buffer overflow (CWE-121) located within the SCRAM authentication processing logic. The vulnerability is exploitable by an unauthenticated attacker sending specially crafted packets to the PgBouncer service.

Business impact

This vulnerability is highly critical due to the potential for remote code execution (RCE) on the database connection pooler. Successful exploitation could lead to full system compromise, unauthorized access to database traffic, or complete service unavailability, significantly impacting business operations. The CVSS score of 8.1 reflects the severe technical impact on system integrity and availability.

Remediation

Immediate Action: Upgrade PgBouncer to version 1.25.2 or later to address the vulnerable SCRAM implementation.

Proactive Monitoring: Monitor PgBouncer logs and system resources for unexpected crashes, segmentation faults, or anomalous traffic patterns targeting authentication ports.

Compensating Controls: Use network-level segmentation to restrict access to the PgBouncer management and authentication interfaces to trusted IP addresses only.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

The severity of this flaw necessitates immediate attention. Administrators must ensure all instances of PgBouncer are updated to version 1.25.2 to mitigate the risk of remote code execution and ensure the ongoing security of the database infrastructure.