CVE-2026-6664

HIGH EXPLOITED LAB

PgBouncer integer overflow in PgBouncer network packet parsing

Title source: cna
STIX 2.1

Exploitation Summary

CVE-2026-6664 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 1 public exploit from researchers including nicolasjulian.

AI-analyzed exploit summary This repository contains a functional proof-of-concept exploit for CVE-2026-6664, demonstrating a PgBouncer crash via an integer overflow in the `mbuf_get_bytes()` function. The exploit leverages a malformed SASL initial response to trigger a denial-of-service condition in PgBouncer versions <= 1.25.1.

Description

An integer overflow in network packet parsing code in PgBouncer before 1.25.2 bypasses a boundary check and can lead to a crash. An unauthenticated remote attacker can crash PgBouncer with a malformed SCRAM authentication packet.

Exploits (1)

github WORKING POC
by nicolasjulian · pythondos
https://github.com/nicolasjulian/bouncer-overflow

This repository contains a functional proof-of-concept exploit for CVE-2026-6664, demonstrating a PgBouncer crash via an integer overflow in the `mbuf_get_bytes()` function. The exploit leverages a malformed SASL initial response to trigger a denial-of-service condition in PgBouncer versions <= 1.25.1.

Classification
Working Poc 100%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: PgBouncer <= 1.25.1
No auth needed
Prerequisites: Docker · Docker Compose · Python 3
mistral-large-3 · analyzed May 12, 2026 Full analysis →

References (1)

Core 1

Scores

CVSS v3 7.5
EPSS 0.0070
EPSS Percentile 48.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Lab Environment

COMMUNITY
Community Lab
docker pull postgres:16

Details

VulnCheck KEV 2026-05-20
CWE
CWE-190
Status published
Products (2)
None/PgBouncer < 1.25.2
pgbouncer/pgbouncer < 1.25.2
Published May 09, 2026
Tracked Since May 09, 2026