The PgBouncer team released version 1.25.2 on May 8, 2026, addressing four distinct security vulnerabilities, CVE-2026-6664, CVE-2026-6665, CVE-2026-6666, and CVE-2026-6667.
That expose PostgreSQL environments to unauthenticated crashes, stack overflows, null pointer dereferences, and unauthorized admin command execution. All users running PgBouncer versions before 1.25.2, please upgrade immediately.
PgBouncer is a widely deployed, lightweight connection pooler for PostgreSQL that sits between application servers and the database, managing and reusing database connections to improve scalability and performance.
Because it handles all incoming network traffic before it reaches the database, any vulnerability in PgBouncer’s parsing or authentication layers is especially dangerous; an attacker doesn’t need valid credentials to crash or potentially manipulate the service.
This makes the newly disclosed flaws in PgBouncer 1.25.2 particularly urgent for database administrators and DevOps teams managing high-traffic PostgreSQL deployments.
CVE-2026-6664: Integer Overflow in Network Packet Parsing
The most critical of the four vulnerabilities, CVE-2026-6664, is an integer overflow flaw residing in PgBouncer’s network packet parsing code. The overflow successfully bypasses a boundary check during the parsing of incoming network data, leading directly to a crash of the PgBouncer process.
What makes this especially dangerous is that no authentication is required; a remote attacker can craft a malformed SCRAM authentication packet and send it to the PgBouncer listener, triggering the crash immediately.
This represents a high-severity denial-of-service (DoS) vector that could disrupt database connectivity across entire application stacks in production environments. Organizations running PgBouncer in internet-facing or multi-tenant configurations face the highest exposure risk.
CVE-2026-6665: Stack Overflow via SCRAM Server Final Message
CVE-2026-6665 targets a different layer of PgBouncer’s SCRAM (Salted Challenge Response Authentication Mechanism) implementation. The vulnerability stems from the SCRAM code failing to correctly check the return value of strlcat() when constructing the SCRAM client-final-message.
A malicious backend server that sends a SCRAM server-final-message containing an excessively long nonce can trigger a stack overflow, causing PgBouncer to crash. This attack vector differs from CVE-2026-6664 in that it requires a compromised or malicious PostgreSQL backend rather than a direct client attack.
Still, it is equally dangerous in environments where backend trust boundaries are not strictly enforced, such as shared hosting platforms or misconfigured cloud database deployments.
CVE-2026-6666: Null Pointer Dereference on Server Error Responses
CVE-2026-6666 is a null pointer dereference vulnerability triggered when a backend server sends an error response that is missing the mandatory SQLSTATE field. Under normal PostgreSQL protocol behavior.
SQLSTATE is always present in error messages, but a malicious or non-standard server could intentionally omit it to crash PgBouncer. This could be exploited in a man-in-the-middle attack or by a rogue PostgreSQL server instance in environments with inadequate backend validation.
Though the attack surface is narrower than that of CVE-2026-6664, the resulting denial-of-service is equally complete. The fix ensures PgBouncer gracefully handles the absence of the SQLSTATE field without dereferencing a null pointer.
CVE-2026-6667: Insufficient Authorization for KILL_CLIENT Admin Command
CVE-2026-6667 addresses an authorization logic flaw in PgBouncer’s administration console. The KILL_CLIENT admin command, which forcibly terminates active client connections, was executable by any user with access to the admin console, not just privileged administrators.
The correct behavior, now enforced in 1.25.2, restricts this command exclusively to users listed in admin_users configuration parameter. Exploiting this vulnerability requires prior access to the PgBouncer admin console (which itself requires authorization).
An attacker or compromised low-privilege admin account could abuse KILL_CLIENT to disrupt service by terminating legitimate database connections at will, a significant privilege escalation concern in multi-user operational environments.
Beyond the four security patches, PgBouncer 1.25.2 also ships several non-security refinements. The documentation for the default_pool_size parameter has been clarified to explain its behavior in pooling configurations better.
Additionally, incorrect documentation entries for the client_tls13_ciphers and server_tls13_ciphers parameters pose a risk of misconfiguration for administrators who rely on documentation to set up TLS 1.3 cipher suites.
These documentation corrections follow a broader trend in the PgBouncer project of improving configuration guidance alongside security patches, as seen in previous 1.25. x releases.
Mitigation
Upgrading to PgBouncer 1.25.2 is the only complete remediation for all four CVEs. For teams unable to patch immediately, the following interim mitigations reduce exposure:
- Network segmentation: Restrict PgBouncer’s listener port to trusted application subnets only, reducing the unauthenticated attack surface for CVE-2026-6664.
- Backend validation: Ensure all backend PostgreSQL servers are trusted, properly configured, and mitigating CVE-2026-6665 and CVE-2026-6666.
- Admin console access control: Audit all users with admin console access and enforce strict
admin_usersconfiguration to limit exposure from CVE-2026-6667. - Monitor for crashes: Enable crash alerting on PgBouncer processes to detect active exploitation attempts while a patch window is scheduled.
Packages have been updated across major Linux distributions, including Debian, Ubuntu, and RHEL/Rocky Linux PGDG repositories. CloudNativePG users should verify that their Pooler resources are rolling to the updated image automatically.
FAQ
Q1: Which versions of PgBouncer are affected by CVE-2026-6664 through CVE-2026-6667?
All PgBouncer versions before 1.25.2 are vulnerable to these four security flaws.
Q2: Can CVE-2026-6664 be exploited without any credentials or prior access?
Yes, an unauthenticated remote attacker can crash PgBouncer by sending a single malformed SCRAM authentication packet.
Q3: Does CVE-2026-6667 require network-level access to exploit?
No, it requires access to the PgBouncer admin console, but any user with that access (not just admin_users) could exploit it before the patch.
Q4: Where can administrators download PgBouncer 1.25.2?
The release is available on the official PgBouncer GitHub releases page and through major Linux distribution package managers, including PGDG repositories.
Site: thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
