WeSearch

Christophe Pettus: Patch PgBouncer Today

·2 min read · 0 reactions · 0 comments · 34 views
#security#postgresql#patching
Christophe Pettus: Patch PgBouncer Today
TL;DR · WeSearch summary

A new patch for PgBouncer, version 1.25.2, was released to address several vulnerabilities, notably CVE-2026-6664, which can cause crashes through malformed packets. Users are urged to patch immediately, as many PgBouncer instances may be unintentionally exposed to the internet. The article emphasizes the importance of regular audits and timely updates to maintain security.

Key facts
Original article
Postgr
Read full at Postgr →
Opening excerpt (first ~120 words) tap to expand

2026-05-19 3 min PostgreSQL Patch PgBouncer Today PgBouncer 1.25.2 shipped on May 8 with four new CVEs. The one you actually need to care about is CVE-2026-6664: an integer overflow in the SCRAM authentication packet parser. It is reachable before authentication. A malformed packet crashes the process. Anything that can open a TCP connection to PgBouncer can take PgBouncer down. The Other Three The rest are not nothing, but they are not the day’s emergency. CVE-2026-6665 is a stack overflow triggerable by a malicious backend sending an oversized SCRAM server-final-message nonce. This matters less, because you presumably trust your own Postgres. If you do not trust your own Postgres, you have a different problem.

Excerpt limited to ~120 words for fair-use compliance. The full article is at Postgr.

Anonymous · no account needed
Share 𝕏 Facebook Reddit LinkedIn Threads WhatsApp Bluesky Mastodon Email

Discussion

0 comments

More from Postgr