Introduction
A missing bounds check in PgBouncer's SCRAM authentication code means that a rogue PostgreSQL backend can corrupt the stack of the connection pooler simply by replying with an oversized nonce during the authentication handshake. For any organization that routes database traffic through PgBouncer, and that includes cloud providers like Neon and Aiven, this CVSS 8.1 flaw (CVE-2026-6665) deserves prompt attention.
PgBouncer is an open source, lightweight connection pooler built specifically for PostgreSQL. It is a foundational component in high scale database architectures, enabling applications to multiplex thousands of client connections over a smaller pool of actual backend connections. Neon, for instance, uses PgBouncer to support up to 10,000 concurrent connections per compute unit, and Aiven integrates it across their managed PostgreSQL offerings.
Technical Information
Root Cause
The vulnerability is rooted in how PgBouncer constructs the SCRAM client final message during authentication with a PostgreSQL backend. The strlcat() function is used to concatenate strings, including the server supplied nonce, into a stack allocated buffer. By design, strlcat() returns the total length of the string it attempted to create. If this value exceeds the size of the destination buffer, it signals that truncation has occurred and the caller should handle the overflow condition.
In PgBouncer versions before 1.25.2, the return value of strlcat() is not correctly checked. This means the code proceeds as if the concatenation succeeded even when the data exceeds the buffer boundary, resulting in a classic stack based buffer overflow (CWE-121).
Attack Flow
The exploitation path proceeds as follows:
-
Attacker controls a backend: The attacker either compromises an existing PostgreSQL backend or provisions a malicious one that PgBouncer is configured to connect to. This is a realistic scenario in multi tenant environments, shared hosting platforms, or situations where backend connection strings are dynamically configured.
-
SCRAM handshake begins: PgBouncer initiates a SCRAM authentication exchange with the malicious backend. This is the default authentication mechanism for modern PostgreSQL deployments using SCRAM SHA 256.
-
Malicious server final message: The backend responds with a SCRAM server final message containing an excessively long nonce value. The SCRAM protocol includes a nonce that the server extends from the client supplied value; the protocol itself does not impose a strict upper bound on nonce length.
-
Stack overflow triggered: PgBouncer calls
strlcat()to append the oversized nonce into the stack allocated buffer for the client final message. Because the return value is not validated, the write exceeds the buffer boundary and corrupts adjacent stack memory. -
Memory corruption: Depending on the stack layout and platform protections, this corruption could lead to a crash (denial of service) or potentially to control flow hijacking if an attacker can carefully craft the nonce contents.
Relationship to CVE-2026-6664
The same PgBouncer 1.25.2 release also addresses CVE-2026-6664, an integer overflow in network packet parsing that allows an unauthenticated remote attacker to crash PgBouncer using a malformed SCRAM authentication packet. The two vulnerabilities share the SCRAM authentication code path but have distinct root causes and threat models. CVE-2026-6664 does not require backend control and can be triggered by any unauthenticated network peer, making the pair of flaws particularly concerning when considered together.
Affected Systems and Versions
All versions of PgBouncer prior to 1.25.2 are affected. The vulnerability is specifically triggered when PgBouncer authenticates to a backend using SCRAM (SCRAM SHA 256).
Current packaging status across distribution channels:
| Distribution Channel | Observed Version | Status |
|---|---|---|
| Upstream Release | 1.25.2 | Patched |
| Homebrew | 1.25.2 | Patched |
| Docker Hardened Images | 1.25.x (fips) | Verify image digest contains 1.25.2 |
| Oracle Linux Yum | 1.25.1 | Vulnerable |
| Debian Trixie | 1.24.1 | Vulnerable |
Organizations relying on Oracle Linux or Debian packages should monitor their respective repositories for updates or consider building PgBouncer 1.25.2 from source.
Vendor Security History
The release of PgBouncer 1.25.2 addresses two distinct memory corruption vulnerabilities in the SCRAM authentication path simultaneously: CVE-2026-6665 (this stack overflow) and CVE-2026-6664 (an integer overflow in packet parsing). The presence of multiple memory safety issues in the same authentication code path suggests that this area of the codebase had not previously undergone thorough security review. The PgBouncer project maintains an active changelog and responds to security disclosures, but the clustering of these flaws in a single release is worth noting for organizations that depend on PgBouncer as a security boundary between clients and backends.
References
- PgBouncer Changelog: 1.25.x
- PgBouncer Official Site
- NVD Vulnerability Database
- CVE.org
- PgBouncer Homebrew Formula
- Debian Trixie PgBouncer Package
- Oracle Linux Yum: What's New
- Neon: Connection Pooling Documentation
- Aiven: Enhanced Password Security with SCRAM SHA 256
- PgBouncer 1.25.x Docker Hardened Image (fips)



