PgBouncer Integer Overflow (CVE-2026-6664) Leads to Remote Crash

/HIGH /CVSS 7.5/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severityinteger-overflowcwe-190
PgBouncer Integer Overflow (CVE-2026-6664) Leads to Remote Crash

A critical integer overflow vulnerability, tracked as CVE-2026-6664, has been identified in PgBouncer versions prior to 1.25.2. According to the National Vulnerability Database, this flaw resides in the network packet parsing code, specifically when handling SCRAM authentication packets.

This vulnerability allows an unauthenticated remote attacker to bypass boundary checks by sending a specially crafted, malformed SCRAM authentication packet. The direct consequence is a denial-of-service condition, where the PgBouncer instance crashes. The National Vulnerability Database has assigned this a CVSS score of 7.5 (HIGH), highlighting the ease of exploitation and significant impact on availability.

For defenders, this is a straightforward, high-impact issue. An attacker doesn’t need credentials or prior access to take your PgBouncer instance offline. This translates directly to database unavailability and potential cascading application failures. The attacker’s calculus is simple: send a malformed packet, cause a crash, and disrupt services with minimal effort.

What This Means For You

  • If your organization uses PgBouncer, you need to immediately verify your deployed version. This isn't a theoretical threat; it's an unauthenticated remote crash. Patching PgBouncer to version 1.25.2 or later is the only way to mitigate CVE-2026-6664. Failing to do so leaves your critical database proxy wide open to trivial denial-of-service attacks.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1499 Vulnerability Exploitation Initial Access

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

CVE-2026-6664 PgBouncer SCRAM Auth Packet Crash - Free Tier

Sigma YAML — free preview 
title: CVE-2026-6664 PgBouncer SCRAM Auth Packet Crash - Free Tier
id: scw-2026-05-09-ai-1
status: experimental
level: critical
description: |
  Detects potential exploitation of CVE-2026-6664 by identifying unauthenticated remote attackers sending malformed SCRAM authentication packets to PgBouncer on its default port (6432), leading to a crash (indicated by a 500 status code in web server logs, often used to proxy PgBouncer). This rule is designed for the free tier as it directly targets the initial access vector of the vulnerability.
author: SCW Feed Engine (AI-generated)
date: 2026-05-09
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-6664/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: authentication
detection:
  selection:
      src_ip:
          - '0.0.0.0/0'
      dst_port:
          - '6432'
      cs-uri-query|contains:
          - 'SCRAM'
      sc-status:
          - '500'
      EventType:
          - 'http'
  condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-6664 DoS PgBouncer before 1.25.2
CVE-2026-6664 Buffer Overflow Integer overflow in network packet parsing code
CVE-2026-6664 DoS Malformed SCRAM authentication packet

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 09, 2026 at 04:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-6667 — PgBouncer before 1.25.2 did not perform an appropriate

CVE-2026-6667 — PgBouncer before 1.25.2 did not perform an appropriate authorization check for the KILL_CLIENT admin command. All users with access to the administration console...

vulnerabilityCVEmedium-severitycwe-862
/SCW Vulnerability Desk /MEDIUM /4.3 /⚑ 2 IOCs /⚙ 2 Sigma

CVE-2026-6666 — A possible null pointer reference in PgBouncer before

CVE-2026-6666 — A possible null pointer reference in PgBouncer before 1.25.2 could lead to a crash, if a server sends an error response without SQLSTATE...

vulnerabilityCVEmedium-severitycwe-476
/SCW Vulnerability Desk /MEDIUM /5.9 /⚑ 2 IOCs /⚙ 1 Sigma

PgBouncer SCRAM Vulnerability (CVE-2026-6665) Allows Stack Overflow

CVE-2026-6665 — The SCRAM code in PgBouncer before 1.25.2 did not check the return value of strlcat() correctly when building the contents of the SCRAM...

vulnerabilityCVEhigh-severitycwe-121
/SCW Vulnerability Desk /HIGH /8.1 /⚑ 4 IOCs /⚙ 2 Sigma