Integer Overflow Vulnerability in PgBouncer Affects Unauthenticated Remote Access
CVE-2026-6664

7.5HIGH

Key Information:

Vendor: PgBouncer
Status: Pgbouncer
Vendor: CVE Published:; 9 May 2026

What is CVE-2026-6664?

An integer overflow vulnerability exists in the network packet parsing code of PgBouncer versions prior to 1.25.2, which allows a bypass of boundary checks. This flaw can enable an unauthenticated remote attacker to send a malformed SCRAM authentication packet, potentially causing the PgBouncer service to crash. It is crucial for users to address this vulnerability by upgrading to the latest version to ensure system integrity and availability.

Affected Version(s)

PgBouncer 0 < 1.25.2

References

https://www.pgbouncer.org/changelog.html#pgbouncer-125x

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 9, 2026
Vulnerability Reserved
Apr 20, 2026

Credit

Thanks to Johannes Möller for finding and reporting this problem.

CVE-2026-6664 Data

JSON