External risk intelligence

PgBouncer could allow internal attacker to cause system crashes

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-6665

An internal attacker with control over a connected database can crash the PgBouncer service or compromise the server by sending malformed data. This poses a risk to database availability and could disrupt critical business operations that rely on this connection tool.

1Halo Surface Signal

Pgbouncer

before 1.25.2

External exposure likelihood

Halo Surface Signal score for CVE-2026-6665

This vulnerability requires an attacker to control or impersonate a backend database server to interact with PgBouncer. PgBouncer is an infrastructure component typically deployed within internal network segments to manage connections between applications and databases, making direct public internet exposure very unlikely in common, secure deployments.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability in PgBouncer could allow a malicious server to cause a stack overflow by sending a specially crafted message. This could disrupt the availability of database connections managed by PgBouncer.

  • Can affect availability.
  • Requires interaction with a backend server.

Attack Path

How an attacker could exploit the issue

A malicious backend database server can exploit this flaw to trigger a stack overflow in PgBouncer by sending a crafted SCRAM server-final-message. This could allow the attacker to crash the PgBouncer service or potentially achieve remote code execution if the overflow is exploitable.

  • Requires attacker control of a backend.
  • Targets PgBouncer SCRAM authentication.
  • Long nonce triggers overflow.

Live Threat

Current exploitation, exposure, and threat context

This SCRAM stack overflow vulnerability in PgBouncer is unlikely to be weaponized by external attackers. The complexity of needing to control or impersonate a backend database server to trigger the vulnerability, combined with PgBouncer's typical deployment within secure internal networks, significantly reduces its appeal for widespread exploitation.

  • Requires backend control.
  • Network deployment limits reach.
  • No public exploit available.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize updating PgBouncer to version 1.25.2 or later to address the critical SCRAM stack overflow vulnerability. If immediate patching is not feasible, focus on isolating affected services to prevent exploitation by malicious backends.

  • Update PgBouncer to 1.25.2.
  • Isolate affected services if patching is delayed.
  • Monitor for unexpected connections or authentication failures.

Frequently asked questions

What is the SCRAM code vulnerability in PgBouncer?

PgBouncer versions before 1.25.2 have a flaw in their SCRAM code. Specifically, the `strlcat()` function's return value wasn't correctly checked when building the SCRAM client-final-message. This could lead to a stack overflow if a malicious backend sends a SCRAM server-final-message with a long nonce.

How does the PgBouncer SCRAM vulnerability work?

A malicious backend server can exploit this weakness by sending a specially crafted SCRAM server-final-message containing a long nonce. This input can trigger a buffer overflow in PgBouncer when it attempts to build the client-final-message, potentially leading to a crash.

What is the impact of the PgBouncer SCRAM stack overflow?

The primary impact of this vulnerability is a potential denial of service due to a stack overflow, causing the PgBouncer service to crash. This disrupts the availability of database connections managed by PgBouncer.

What is the relevance of the PgBouncer SCRAM vulnerability?

The relevance is moderate. Exploiting this flaw requires an attacker to control or impersonate a backend database server, which is an unlikely scenario for external attackers. PgBouncer is typically deployed internally, limiting the threat's reach.

How can I address the PgBouncer SCRAM vulnerability?

The recommended action is to update PgBouncer to version 1.25.2 or later. If immediate patching isn't possible, isolate the affected PgBouncer services to limit potential exploitation by malicious backends and monitor for unusual activity.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified