Christophe Pettus: Patch PgBouncer Today
A new patch for PgBouncer, version 1.25.2, was released to address several vulnerabilities, notably CVE-2026-6664, which can cause crashes through malformed packets. Users are urged to patch immediately, as many PgBouncer instances may be unintentionally exposed to the internet. The article emphasizes the importance of regular audits and timely updates to maintain security.
- ▪PgBouncer 1.25.2 was released on May 8, addressing four new CVEs.
- ▪CVE-2026-6664 is a critical vulnerability that can crash PgBouncer through an integer overflow in the SCRAM authentication packet parser.
- ▪Users are advised to patch their PgBouncer instances this week to avoid potential security risks.
Opening excerpt (first ~120 words) tap to expand
2026-05-19 3 min PostgreSQL Patch PgBouncer Today PgBouncer 1.25.2 shipped on May 8 with four new CVEs. The one you actually need to care about is CVE-2026-6664: an integer overflow in the SCRAM authentication packet parser. It is reachable before authentication. A malformed packet crashes the process. Anything that can open a TCP connection to PgBouncer can take PgBouncer down. The Other Three The rest are not nothing, but they are not the day’s emergency. CVE-2026-6665 is a stack overflow triggerable by a malicious backend sending an oversized SCRAM server-final-message nonce. This matters less, because you presumably trust your own Postgres. If you do not trust your own Postgres, you have a different problem.
…
Excerpt limited to ~120 words for fair-use compliance. The full article is at Postgr.