Critical Integer Overflow Vulnerability in PgBouncer (CVE-2026-6664)

Critical Integer Overflow Vulnerability in PgBouncer (CVE-2026-6664)

First seen 20 May 2026, 21:59 UTC nvd.nist.govexploit-intel.com 88% similarity 72.0

Article Content

Browse articles
ThreatCluster

A critical integer overflow vulnerability (CVE-2026-6664) has been identified in PgBouncer versions prior to 1.25.2. This flaw allows unauthenticated remote attackers to crash the service by sending a malformed SCRAM authentication packet. The vulnerability bypasses a boundary check in the network packet parsing code, specifically in the `mbuf_get_bytes()` function. A proof-of-concept exploit demonstrating this denial-of-service condition was released on May 13, 2026. Affected versions include all PgBouncer releases up to and including 1.25.1. System administrators are urged to upgrade to version 1.25.2 or later to mitigate this risk. The vulnerability was published on May 9, 2026, and poses a significant threat to systems using PgBouncer for connection pooling.

Key Points: • CVE-2026-6664 allows unauthenticated remote attackers to crash PgBouncer. • The vulnerability affects all versions of PgBouncer prior to 1.25.2. • A proof-of-concept exploit was made public on May 13, 2026.

ThreatCluster AI

Timeline

2026-05-09
CVE-2026-6664 published
The vulnerability in PgBouncer was officially disclosed, affecting versions <= 1.25.1.
nvd.nist.gov
2026-05-13
First public PoC released
A functional proof-of-concept exploit demonstrating the crash of PgBouncer was published.
exploit-intel.com
2026-05-20
Security advisory issued
Administrators are advised to upgrade to PgBouncer version 1.25.2 or later to mitigate the vulnerability.
exploit-intel.com

Community

Browse all →