Description
The SCRAM code in PgBouncer before 1.25.2 did not check the return value of strlcat() correctly when building the contents of the SCRAM client-final-message. A malicious backend that sends a SCRAM server-final-message with a long nonce can trigger a stack overflow.
Published: 2026-05-09
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

PgBouncer versions prior to 1.25.2 contain a buffer overflow in the SCRAM client-final-message construction. The flaw arises when the return value of strlcat() is incorrectly interpreted, allowing a backend that issues a very long SCRAM server‑final‑message to overflow the stack. An attacker who can supply such a message can potentially overwrite critical stack data, leading to arbitrary code execution or a denial‑of‑service event on the PgBouncer instance. The weakness is a classic stack buffer overflow (CWE‑121).

Affected Systems

The vulnerability affects PgBouncer prior to version 1.25.2. Any deployment using PgBouncer 1.25.1 or earlier that employs SCRAM authentication with a PostgreSQL backend is potentially exposed. The issue is resolved in PgBouncer 1.25.2 and later releases.

Risk and Exploitability

With a CVSS score of 8.1 the vulnerability is considered high severity. No EPSS data is available and the flaw is not listed in CISA's KEV catalog. Exploitation requires the attacker to have control over or influence the PostgreSQL backend to send a crafted SCRAM server‑final‑message; thus it is most relevant in environments where PgBouncer connects to a backend that may be compromised or mal‑configured. If that precondition is met, the flaw can lead to arbitrary code execution on the PgBouncer host.

Generated by OpenCVE AI on May 9, 2026 at 03:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade PgBouncer to version 1.25.2 or newer.
  • If an upgrade is not immediately possible, prevent PgBouncer from communicating with untrusted backends by restricting network access or disabling SCRAM authentication on those connections.
  • Monitor PgBouncer logs for abnormal termination or stack‑overflow warnings and enforce strict firewall rules to isolate the PgBouncer process.

Generated by OpenCVE AI on May 9, 2026 at 03:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 09 May 2026 02:45:00 +0000

Type Values Removed Values Added
First Time appeared Pgbouncer
Pgbouncer pgbouncer
Vendors & Products Pgbouncer
Pgbouncer pgbouncer

Sat, 09 May 2026 01:15:00 +0000

Type Values Removed Values Added
Description The SCRAM code in PgBouncer before 1.25.2 did not check the return value of strlcat() correctly when building the contents of the SCRAM client-final-message. A malicious backend that sends a SCRAM server-final-message with a long nonce can trigger a stack overflow.
Title PgBouncer buffer overflow in SCRAM
Weaknesses CWE-121
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Pgbouncer Pgbouncer
cve-icon MITRE

Status: PUBLISHED

Assigner: PostgreSQL

Published:

Updated: 2026-05-09T00:43:46.762Z

Reserved: 2026-04-20T12:25:43.793Z

Link: CVE-2026-6665

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-09T01:16:09.013

Modified: 2026-05-09T01:16:09.013

Link: CVE-2026-6665

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T03:30:24Z

Weaknesses