CVE-2026-6665 — Vulnetix

CVE-2026-6665 PUBLISHED CVSS 8.100000381469727 HIGH

The SCRAM code in PgBouncer before 1.25.2 did not check the return value of strlcat() correctly when building the contents of the SCRAM client-final-message. A malicious backend that sends a SCRAM server-final-message with a long nonce can trigger a stack overflow.

EPSS 0.02% · 5.8th percentile

Risk Scores

CVSS v3.1

8.100000381469727

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score

0.02%

5.8th percentile

Affected Products

Vendor	Product	Versions
n/a	PgBouncer	0

Timeline

May 9, 2026 EPSS Score
May 9, 2026 CVE Published
May 9, 2026 Security Advisory
May 12, 2026 CVE Updated
May 13, 2026 Security Advisory
May 13, 2026 Security Advisory
May 13, 2026 Security Advisory
May 13, 2026 Security Advisory
May 13, 2026 Security Advisory
May 13, 2026 Security Advisory
May 13, 2026 Security Advisory
May 13, 2026 Security Advisory

References

https://www.pgbouncer.org/changelog.html#pgbouncer-125x url
https://nvd.nist.gov/vuln/detail/CVE-2026-6665 advisory
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33110 advisory
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-6664 advisory
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32185 advisory
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41602 advisory
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45130 advisory
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-48431 advisory
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-6665 advisory
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41103 advisory
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-35439 advisory
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32177 advisory
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41610 advisory
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-40417 advisory
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42898 advisory
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41614 advisory
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41612 advisory
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-40374 advisory
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41636 advisory
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-44656 advisory

…and 16 more

Open in Interactive Console →