ZeroPath at Black Hat USA 2026

Brief Summary: PgBouncer CVE-2026-6665 SCRAM Authentication Stack Overflow via Malicious Backend Nonce

A short review of CVE-2026-6665, a high severity stack overflow in PgBouncer's SCRAM authentication code that can be triggered by a malicious PostgreSQL backend sending an oversized nonce in the server final message.

CVE Analysis

6 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-08

Brief Summary: PgBouncer CVE-2026-6665 SCRAM Authentication Stack Overflow via Malicious Backend Nonce
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A missing bounds check in PgBouncer's SCRAM authentication code means that a rogue PostgreSQL backend can corrupt the stack of the connection pooler simply by replying with an oversized nonce during the authentication handshake. For any organization that routes database traffic through PgBouncer, and that includes cloud providers like Neon and Aiven, this CVSS 8.1 flaw (CVE-2026-6665) deserves prompt attention.

PgBouncer is an open source, lightweight connection pooler built specifically for PostgreSQL. It is a foundational component in high scale database architectures, enabling applications to multiplex thousands of client connections over a smaller pool of actual backend connections. Neon, for instance, uses PgBouncer to support up to 10,000 concurrent connections per compute unit, and Aiven integrates it across their managed PostgreSQL offerings.

Technical Information

Root Cause

The vulnerability is rooted in how PgBouncer constructs the SCRAM client final message during authentication with a PostgreSQL backend. The strlcat() function is used to concatenate strings, including the server supplied nonce, into a stack allocated buffer. By design, strlcat() returns the total length of the string it attempted to create. If this value exceeds the size of the destination buffer, it signals that truncation has occurred and the caller should handle the overflow condition.

In PgBouncer versions before 1.25.2, the return value of strlcat() is not correctly checked. This means the code proceeds as if the concatenation succeeded even when the data exceeds the buffer boundary, resulting in a classic stack based buffer overflow (CWE-121).

Attack Flow

The exploitation path proceeds as follows:

  1. Attacker controls a backend: The attacker either compromises an existing PostgreSQL backend or provisions a malicious one that PgBouncer is configured to connect to. This is a realistic scenario in multi tenant environments, shared hosting platforms, or situations where backend connection strings are dynamically configured.

  2. SCRAM handshake begins: PgBouncer initiates a SCRAM authentication exchange with the malicious backend. This is the default authentication mechanism for modern PostgreSQL deployments using SCRAM SHA 256.

  3. Malicious server final message: The backend responds with a SCRAM server final message containing an excessively long nonce value. The SCRAM protocol includes a nonce that the server extends from the client supplied value; the protocol itself does not impose a strict upper bound on nonce length.

  4. Stack overflow triggered: PgBouncer calls strlcat() to append the oversized nonce into the stack allocated buffer for the client final message. Because the return value is not validated, the write exceeds the buffer boundary and corrupts adjacent stack memory.

  5. Memory corruption: Depending on the stack layout and platform protections, this corruption could lead to a crash (denial of service) or potentially to control flow hijacking if an attacker can carefully craft the nonce contents.

Relationship to CVE-2026-6664

The same PgBouncer 1.25.2 release also addresses CVE-2026-6664, an integer overflow in network packet parsing that allows an unauthenticated remote attacker to crash PgBouncer using a malformed SCRAM authentication packet. The two vulnerabilities share the SCRAM authentication code path but have distinct root causes and threat models. CVE-2026-6664 does not require backend control and can be triggered by any unauthenticated network peer, making the pair of flaws particularly concerning when considered together.

Affected Systems and Versions

All versions of PgBouncer prior to 1.25.2 are affected. The vulnerability is specifically triggered when PgBouncer authenticates to a backend using SCRAM (SCRAM SHA 256).

Current packaging status across distribution channels:

Distribution ChannelObserved VersionStatus
Upstream Release1.25.2Patched
Homebrew1.25.2Patched
Docker Hardened Images1.25.x (fips)Verify image digest contains 1.25.2
Oracle Linux Yum1.25.1Vulnerable
Debian Trixie1.24.1Vulnerable

Organizations relying on Oracle Linux or Debian packages should monitor their respective repositories for updates or consider building PgBouncer 1.25.2 from source.

Vendor Security History

The release of PgBouncer 1.25.2 addresses two distinct memory corruption vulnerabilities in the SCRAM authentication path simultaneously: CVE-2026-6665 (this stack overflow) and CVE-2026-6664 (an integer overflow in packet parsing). The presence of multiple memory safety issues in the same authentication code path suggests that this area of the codebase had not previously undergone thorough security review. The PgBouncer project maintains an active changelog and responds to security disclosures, but the clustering of these flaws in a single release is worth noting for organizations that depend on PgBouncer as a security boundary between clients and backends.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization