PgBouncer 1.25.2 Patches Four CVEs Including a Pre-Auth SCRAM Crash That Hits Every Currently Shipping Debian Release
An integer overflow in PgBouncer's SCRAM packet parser lets unauthenticated attackers crash the pooler, and three more flaws ship in the same release. Debian stable, testing, and pre-release archives are all still vulnerable.
Overview
The PgBouncer project shipped version 1.25.2 on May 8, 2026, fixing four CVEs in the PostgreSQL connection pooler that sits between most production Postgres deployments and their clients. The headline flaw, CVE-2026-6664, is an unauthenticated remote crash in the SCRAM authentication packet parser, rated 7.5 / HIGH by NVD. Three additional fixes address a stack-based buffer overflow from a malicious upstream Postgres backend, a null-pointer dereference triggered by malformed error responses, and a missing authorization check that let any console user issue KILL_CLIENT against arbitrary sessions, according to the PgBouncer changelog.
What We Know
The four CVEs disclosed alongside 1.25.2 cover distinct code paths in the pooler.
CVE-2026-6664, the integer-overflow flaw, is the only one in the set that is exploitable pre-authentication. The upstream entry describes it as “An integer overflow in network packet parsing code in PgBouncer before 1.25.2 bypasses a boundary check and can lead to a crash. An unauthenticated remote attacker can crash PgBouncer with a malformed SCRAM authentication packet,” per the PgBouncer changelog. NVD classifies it as CWE-190 (Integer Overflow or Wraparound) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H — availability-only impact, but reachable across the network with no privileges. The bug was reported by Johannes Möller, per the ThreatInt CVE record.
CVE-2026-6665 carries the highest CVSS in the batch — 8.1 / HIGH — because, unlike a crash, it can corrupt the stack. The CIRCL Vulnerability-Lookup entry classifies it as CWE-121, a stack-based buffer overflow, with confidentiality, integrity, and availability all flagged HIGH in the vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. The condition is narrower than the integer-overflow case: it requires the pooler to be talking to a malicious backend, since the PgBouncer changelog describes the trigger as “a SCRAM server-final-message with a long nonce” reaching a SCRAM client-final-message construction that “did not check the return value of strlcat() correctly.” In other words, this flaw matters in deployments where PgBouncer can be coerced into pointing at an attacker-controlled Postgres server, or where the upstream is otherwise compromised.
CVE-2026-6666, rated 5.9 / MEDIUM, is a null-pointer dereference: “A possible null pointer reference in PgBouncer before 1.25.2 could lead to a crash, if a server sends an error response without SQLSTATE field,” per the PgBouncer changelog. ThreatInt classifies it as CWE-476.
CVE-2026-6667 is the operational outlier. Rated 4.3 / MEDIUM and classified by ThreatInt as CWE-862 (Missing Authorization), it concerns the KILL_CLIENT admin command. The PgBouncer changelog says PgBouncer “did not perform an appropriate authorization check for the KILL_CLIENT admin command. All users with access to the administration console (which itself requires authorization) could run this command. It would have been correct to allow only users listed in the admin_users parameter.” The console is itself gated, so the practical impact is limited to environments where multiple operators share access to the pooler’s admin interface with different privilege intentions.
Three of the four CVEs — 6665, 6666, and 6667 — are credited to a researcher identified in the CIRCL entry and ThreatInt records as HarutoKimura. The integer-overflow finding was credited separately to Johannes Möller, per the ThreatInt record for CVE-2026-6664.
Beyond the four security fixes, the 1.25.2 release also clarified documentation for the default_pool_size parameter and corrected text describing the client_tls13_ciphers and server_tls13_ciphers options introduced in 1.25.0, per the PgBouncer changelog. The same changelog entry describes 1.25.0 — released November 9, 2025 under the codename “The one with LDAP support” — as the version that added LDAP authentication and client-side direct TLS to the pooler.
Distribution Status
For operators relying on distro packaging rather than building from source, the patch is not yet broadly available. The Debian Security Tracker page lists the package versions shipping in each release as of May 11, 2026: bookworm (Debian 12) still carries 1.18.0-1+deb12u1, trixie (the upcoming stable) is on 1.24.1-1+deb13u1, and forky is on 1.25.1-1 — all marked vulnerable. Only Debian sid (unstable) has the patched 1.25.2-1 package. The tracker classifies the issue as “Minor issue” with a no-dsa tag for both bookworm and trixie, meaning the security team is not planning a Debian Security Advisory and the fix will arrive through normal stable updates rather than a security release.
What We Don’t Know
None of the cited sources reports exploitation in the wild for any of the four CVEs. The PgBouncer project’s advisory text does not include details about scanner activity, proof-of-concept availability, or any embargo on technical write-ups. The Debian tracker, as captured in the security-tracker.debian.org page, does not specify a target date for backports to bookworm or trixie. CISA’s Known Exploited Vulnerabilities catalog does not list any of the four CVEs at the time of writing.
The published NVD record for CVE-2026-6664 shows a publication date of May 8, 2026 — the same day as the upstream release — while the other three entries in ThreatInt’s database record a May 9 publication date. The four CVE identifiers were all reserved on April 20, 2026, according to the same ThreatInt records, suggesting roughly an 18-day coordinated disclosure window between reservation and release.