CVE-2026-6665 Overview
CVE-2026-6665 is a stack-based buffer overflow vulnerability in PgBouncer, the lightweight connection pooler for PostgreSQL. The flaw resides in the Salted Challenge Response Authentication Mechanism (SCRAM) code path in versions before 1.25.2. PgBouncer fails to correctly check the return value of strlcat() when constructing the SCRAM client-final-message. A malicious backend that returns a SCRAM server-final-message containing an oversized nonce can trigger a stack overflow in the PgBouncer process. The vulnerability is exploitable over the network without authentication and can lead to memory corruption affecting confidentiality, integrity, and availability.
Critical Impact
A malicious PostgreSQL backend can corrupt PgBouncer's stack memory through a crafted SCRAM authentication response, enabling potential remote code execution against the connection pooler.
Affected Products
- PgBouncer versions prior to 1.25.2
- Deployments using SCRAM authentication with PostgreSQL backends
- All platforms running affected PgBouncer builds
Discovery Timeline
- 2026-05-09 - CVE-2026-6665 published to the National Vulnerability Database (NVD)
- 2026-05-14 - Last updated in NVD database
Technical Details for CVE-2026-6665
Vulnerability Analysis
The vulnerability is classified as a stack-based buffer overflow [CWE-121]. PgBouncer implements SCRAM-SHA-256 authentication when proxying connections between clients and PostgreSQL backends. During the SCRAM handshake, PgBouncer constructs the client-final-message by appending data including the server-provided nonce.
The strlcat() function returns the total length the resulting string would have been, regardless of whether truncation occurred. PgBouncer ignores this return value, so it does not detect when concatenation would exceed the destination buffer on the stack. When a malicious backend sends a server-final-message with an unusually long nonce, the resulting write overruns the fixed-size stack buffer.
Root Cause
The root cause is improper handling of the strlcat() return value when building SCRAM authentication messages. The code assumes the destination buffer is large enough to hold concatenated nonce data without validating actual sizes. This violates safe string handling practices and produces a writable overflow on the stack frame of the SCRAM client function.
Attack Vector
Exploitation requires that PgBouncer connect to an attacker-controlled or compromised PostgreSQL backend that returns a malicious SCRAM server-final-message. The attack is network-based and requires no prior authentication to PgBouncer itself. An adversary controlling the backend, or capable of man-in-the-middle interception of an unencrypted backend connection, can deliver the oversized nonce. Successful exploitation overwrites adjacent stack data, potentially including return addresses and saved registers, leading to denial of service or arbitrary code execution in the PgBouncer process.
No verified public exploitation code is available. For technical context, refer to the PgBouncer Changelog Entry.
Detection Methods for CVE-2026-6665
Indicators of Compromise
- Unexpected crashes or segmentation faults in the PgBouncer process during SCRAM authentication
- PgBouncer log entries showing SCRAM handshake failures originating from specific backend hosts
- Anomalous backend connections to hosts outside the approved PostgreSQL inventory
Detection Strategies
- Inventory PgBouncer installations and compare reported versions against 1.25.2 or later
- Monitor PgBouncer worker processes for abnormal termination, core dumps, or restart loops
- Inspect network traffic between PgBouncer and PostgreSQL backends for SCRAM messages containing oversized nonce fields
- Audit configured backend connection strings for unexpected or untrusted PostgreSQL hosts
Monitoring Recommendations
- Enable verbose PgBouncer logging and forward logs to a centralized analytics platform for correlation
- Alert on repeated SCRAM authentication failures associated with the same backend endpoint
- Track outbound connections from PgBouncer hosts to ensure they target only approved PostgreSQL servers
How to Mitigate CVE-2026-6665
Immediate Actions Required
- Upgrade PgBouncer to version 1.25.2 or later on all affected hosts
- Restrict PgBouncer backend configurations to trusted, internally managed PostgreSQL servers only
- Enforce TLS for all PgBouncer-to-backend connections to prevent man-in-the-middle injection of malicious SCRAM responses
- Restart PgBouncer services after patching to ensure the vulnerable code path is no longer loaded
Patch Information
The PgBouncer project released the fix in version 1.25.2. The patch validates the strlcat() return value when building the SCRAM client-final-message, preventing stack buffer overrun when a backend supplies an oversized nonce. Review the PgBouncer Changelog Entry for the full list of fixes included in the release.
Workarounds
- Limit backend connectivity to PostgreSQL servers under direct administrative control until patching is complete
- Disable SCRAM authentication paths where operationally feasible and use alternative authentication backed by TLS client certificates
- Place PgBouncer and its backends on isolated network segments to reduce exposure to attacker-controlled servers
# Verify installed PgBouncer version
pgbouncer --version
# Example Debian/Ubuntu upgrade
sudo apt-get update
sudo apt-get install --only-upgrade pgbouncer
# Restart the service after upgrading
sudo systemctl restart pgbouncer
# Confirm the patched version is active
pgbouncer --version | grep -E '1\.25\.[2-9]|1\.2[6-9]|1\.[3-9][0-9]'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
