Null Pointer Reference Vulnerability in PgBouncer by PostgreSQL
CVE-2026-6666

5.9MEDIUM

Key Information:

Vendor: PostgreSQL
Status: Pgbouncer
Vendor: CVE Published:; 9 May 2026

What is CVE-2026-6666?

A null pointer reference vulnerability exists in PgBouncer versions before 1.25.2. This issue can lead to a server crash if an error response is received without the SQLSTATE field. It is crucial for users of affected versions to upgrade to mitigate potential disruptions in database operations.

Affected Version(s)

PgBouncer 0 < 1.25.2

References

https://www.pgbouncer.org/changelog.html#pgbouncer-125x

CVSS V3.1

Score:

5.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 9, 2026
Vulnerability Reserved
Apr 20, 2026

Credit

Thanks to HarutoKimura for finding and reporting this problem.

CVE-2026-6666 Data

JSON