Skip to main content
CVE Vulnerability Database

CVE-2026-6665: PgBouncer Buffer Overflow Vulnerability

CVE-2026-6665 is a buffer overflow vulnerability in PgBouncer's SCRAM authentication code that allows malicious backends to trigger stack overflow. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-6665 Overview

CVE-2026-6665 is a stack-based buffer overflow vulnerability in PgBouncer, the lightweight connection pooler for PostgreSQL. The flaw resides in the Salted Challenge Response Authentication Mechanism (SCRAM) code path in versions before 1.25.2. PgBouncer fails to correctly check the return value of strlcat() when constructing the SCRAM client-final-message. A malicious backend that returns a SCRAM server-final-message containing an oversized nonce can trigger a stack overflow in the PgBouncer process. The vulnerability is exploitable over the network without authentication and can lead to memory corruption affecting confidentiality, integrity, and availability.

Critical Impact

A malicious PostgreSQL backend can corrupt PgBouncer's stack memory through a crafted SCRAM authentication response, enabling potential remote code execution against the connection pooler.

Affected Products

  • PgBouncer versions prior to 1.25.2
  • Deployments using SCRAM authentication with PostgreSQL backends
  • All platforms running affected PgBouncer builds

Discovery Timeline

  • 2026-05-09 - CVE-2026-6665 published to the National Vulnerability Database (NVD)
  • 2026-05-14 - Last updated in NVD database

Technical Details for CVE-2026-6665

Vulnerability Analysis

The vulnerability is classified as a stack-based buffer overflow [CWE-121]. PgBouncer implements SCRAM-SHA-256 authentication when proxying connections between clients and PostgreSQL backends. During the SCRAM handshake, PgBouncer constructs the client-final-message by appending data including the server-provided nonce.

The strlcat() function returns the total length the resulting string would have been, regardless of whether truncation occurred. PgBouncer ignores this return value, so it does not detect when concatenation would exceed the destination buffer on the stack. When a malicious backend sends a server-final-message with an unusually long nonce, the resulting write overruns the fixed-size stack buffer.

Root Cause

The root cause is improper handling of the strlcat() return value when building SCRAM authentication messages. The code assumes the destination buffer is large enough to hold concatenated nonce data without validating actual sizes. This violates safe string handling practices and produces a writable overflow on the stack frame of the SCRAM client function.

Attack Vector

Exploitation requires that PgBouncer connect to an attacker-controlled or compromised PostgreSQL backend that returns a malicious SCRAM server-final-message. The attack is network-based and requires no prior authentication to PgBouncer itself. An adversary controlling the backend, or capable of man-in-the-middle interception of an unencrypted backend connection, can deliver the oversized nonce. Successful exploitation overwrites adjacent stack data, potentially including return addresses and saved registers, leading to denial of service or arbitrary code execution in the PgBouncer process.

No verified public exploitation code is available. For technical context, refer to the PgBouncer Changelog Entry.

Detection Methods for CVE-2026-6665

Indicators of Compromise

  • Unexpected crashes or segmentation faults in the PgBouncer process during SCRAM authentication
  • PgBouncer log entries showing SCRAM handshake failures originating from specific backend hosts
  • Anomalous backend connections to hosts outside the approved PostgreSQL inventory

Detection Strategies

  • Inventory PgBouncer installations and compare reported versions against 1.25.2 or later
  • Monitor PgBouncer worker processes for abnormal termination, core dumps, or restart loops
  • Inspect network traffic between PgBouncer and PostgreSQL backends for SCRAM messages containing oversized nonce fields
  • Audit configured backend connection strings for unexpected or untrusted PostgreSQL hosts

Monitoring Recommendations

  • Enable verbose PgBouncer logging and forward logs to a centralized analytics platform for correlation
  • Alert on repeated SCRAM authentication failures associated with the same backend endpoint
  • Track outbound connections from PgBouncer hosts to ensure they target only approved PostgreSQL servers

How to Mitigate CVE-2026-6665

Immediate Actions Required

  • Upgrade PgBouncer to version 1.25.2 or later on all affected hosts
  • Restrict PgBouncer backend configurations to trusted, internally managed PostgreSQL servers only
  • Enforce TLS for all PgBouncer-to-backend connections to prevent man-in-the-middle injection of malicious SCRAM responses
  • Restart PgBouncer services after patching to ensure the vulnerable code path is no longer loaded

Patch Information

The PgBouncer project released the fix in version 1.25.2. The patch validates the strlcat() return value when building the SCRAM client-final-message, preventing stack buffer overrun when a backend supplies an oversized nonce. Review the PgBouncer Changelog Entry for the full list of fixes included in the release.

Workarounds

  • Limit backend connectivity to PostgreSQL servers under direct administrative control until patching is complete
  • Disable SCRAM authentication paths where operationally feasible and use alternative authentication backed by TLS client certificates
  • Place PgBouncer and its backends on isolated network segments to reduce exposure to attacker-controlled servers
bash
# Verify installed PgBouncer version
pgbouncer --version

# Example Debian/Ubuntu upgrade
sudo apt-get update
sudo apt-get install --only-upgrade pgbouncer

# Restart the service after upgrading
sudo systemctl restart pgbouncer

# Confirm the patched version is active
pgbouncer --version | grep -E '1\.25\.[2-9]|1\.2[6-9]|1\.[3-9][0-9]'

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.