Critical Integer Overflow Vulnerability in PgBouncer (CVE-2026-6664)
Severity: High (Score: 72.0)
Sources: nvd.nist.gov, exploit-intel.com
Published: · Updated:
Keywords: pgbouncer, crash, integer, overflow, network, packet, parsing
Severity indicators: integer overflow
Summary
A critical integer overflow vulnerability (CVE-2026-6664) has been identified in PgBouncer versions prior to 1.25.2. This flaw allows unauthenticated remote attackers to crash the service by sending a malformed SCRAM authentication packet. The vulnerability bypasses a boundary check in the network packet parsing code, specifically in the `mbuf_get_bytes()` function. A proof-of-concept exploit demonstrating this denial-of-service condition was released on May 13, 2026. Affected versions include all PgBouncer releases up to and including 1.25.1. System administrators are urged to upgrade to version 1.25.2 or later to mitigate this risk. The vulnerability was published on May 9, 2026, and poses a significant threat to systems using PgBouncer for connection pooling. Key Points: • CVE-2026-6664 allows unauthenticated remote attackers to crash PgBouncer. • The vulnerability affects all versions of PgBouncer prior to 1.25.2. • A proof-of-concept exploit was made public on May 13, 2026.
Detailed Analysis
**Impact** PgBouncer versions prior to 1.25.2 are affected, allowing unauthenticated remote attackers to cause a denial-of-service by crashing the service. This impacts organizations using PgBouncer as a PostgreSQL connection pooler, potentially disrupting database availability and related business operations. No data exfiltration or corruption is reported; the primary consequence is service downtime. Specific sectors or geographies affected are not detailed in the sources. **Technical Details** The vulnerability (CVE-2026-6664) is an integer overflow in the `mbuf_get_bytes()` function during network packet parsing, specifically triggered by a malformed SCRAM authentication packet. The exploit bypasses boundary checks, leading to a crash in PgBouncer versions up to 1.25.1. The attack vector is unauthenticated remote access, resulting in a denial-of-service condition. A proof-of-concept exploit is publicly available. No additional malware or IOCs are mentioned. **Recommended Response** Apply the PgBouncer patch by upgrading to version 1.25.2 or later immediately to remediate the vulnerability. Monitor network traffic for malformed SCRAM authentication packets indicative of exploitation attempts. Implement rate limiting or access controls on PgBouncer authentication endpoints to reduce attack surface. No further detection signatures or IOCs are currently available.
Source articles (2)
- CVE 2026 6664 — exploit-intel.com · 2026-05-20
An integer overflow in network packet parsing code in PgBouncer before 1.25.2 bypasses a boundary check and can lead to a crash. An unauthenticated remote attacker can crash PgBouncer with a malformed… - CVE 2026 6664 — nvd.nist.gov · 2026-05-20
An integer overflow in network packet parsing code in PgBouncer before 1.25.2 bypasses a boundary check and can lead to a crash. An unauthenticated remote attacker can crash PgBouncer with a malformed…
Timeline
- 2026-05-09 — CVE-2026-6664 published: The vulnerability in PgBouncer was officially disclosed, affecting versions <= 1.25.1.
- 2026-05-13 — First public PoC released: A functional proof-of-concept exploit demonstrating the crash of PgBouncer was published.
- 2026-05-20 — Security advisory issued: Administrators are advised to upgrade to PgBouncer version 1.25.2 or later to mitigate the vulnerability.
CVEs
Related entities
- DDoS (Attack Type)
- Cwe-190 - Integer Overflow Or Wraparound (Cwe)
- T1499 - Endpoint Denial of Service (Mitre Attack)
- PgBouncer (Platform)