{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-6664/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":["cpe:2.3:a:pgbouncer:pgbouncer:*:*:*:*:*:*:*:*"],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-6664"}],"_cs_exploited":true,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["PgBouncer \u003c 1.25.2"],"_cs_severities":["high"],"_cs_tags":["integer overflow","denial of service","CVE-2026-6664"],"_cs_type":"threat","_cs_vendors":["PgBouncer"],"content_html":"\u003cp\u003ePgBouncer, a widely used open-source connection pooler for PostgreSQL, is affected by an actively exploited integer overflow vulnerability (CVE-2026-6664) in versions prior to 1.25.2. Discovered in early May 2026, this vulnerability allows remote attackers to crash the system without authentication or user interaction. A publicly available proof of concept exists, and reports indicate active exploitation. The vulnerability is located within the network packet processing code and involves an integer overflow, leading to a bypass of boundary checks. Successful exploitation leads to a denial-of-service condition, impacting system availability. Defenders should prioritize patching vulnerable instances and enhance monitoring capabilities.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable PgBouncer instance running a version prior to 1.25.2.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious SCRAM authentication packet specifically designed to trigger the integer overflow.\u003c/li\u003e\n\u003cli\u003eAttacker sends the crafted SCRAM packet to the vulnerable PgBouncer instance.\u003c/li\u003e\n\u003cli\u003ePgBouncer processes the packet, and the integer overflow occurs during the handling of network package sizes.\u003c/li\u003e\n\u003cli\u003eThe integer overflow leads to a bypass of boundary checks in the network packet processing logic.\u003c/li\u003e\n\u003cli\u003eDue to the bypassed boundary checks, the application attempts to access an invalid memory location.\u003c/li\u003e\n\u003cli\u003eThe invalid memory access causes a system crash, resulting in a denial-of-service.\u003c/li\u003e\n\u003cli\u003eThe PgBouncer service becomes unavailable, disrupting applications relying on database connections managed by PgBouncer.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eExploitation of CVE-2026-6664 results in a denial-of-service condition, impacting the availability of systems utilizing vulnerable PgBouncer instances. While confidentiality and integrity are not directly affected, the disruption of database connections can severely impact applications and services that rely on PostgreSQL databases. There are reports of active exploitation of this vulnerability. Organizations failing to patch are at risk of service disruption.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately patch all PgBouncer instances to version 1.25.2 or later to remediate CVE-2026-6664 (\u003ca href=\"https://www.pgbouncer.org/changelog.html#pgbouncer-125x)\"\u003ehttps://www.pgbouncer.org/changelog.html#pgbouncer-125x)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eImplement and tune the Sigma rule \u0026ldquo;Detect CVE-2026-6664 Exploitation Attempt - Malformed SCRAM Packet\u0026rdquo; to identify potentially malicious SCRAM authentication packets targeting PgBouncer instances.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for abnormally sized or malformed SCRAM authentication packets directed at PgBouncer instances as described in the vulnerability description.\u003c/li\u003e\n\u003cli\u003eReview the vulnerability details provided by NIST (\u003ca href=\"https://nvd.nist.gov/vuln/detail/CVE-2026-6664\"\u003ehttps://nvd.nist.gov/vuln/detail/CVE-2026-6664\u003c/a\u003e) and Exploit-DB (\u003ca href=\"https://exploit-intel.com/vuln/CVE-2026-6664\"\u003ehttps://exploit-intel.com/vuln/CVE-2026-6664\u003c/a\u003e) for more information.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-20T19:31:08Z","date_published":"2026-05-20T19:31:08Z","id":"https://feed.craftedsignal.io/briefs/2026-05-pgbouncer-overflow/","summary":"PgBouncer versions prior to 1.25.2 are vulnerable to an integer overflow (CVE-2026-6664), enabling unauthenticated remote attackers to trigger a denial-of-service via a crafted SCRAM authentication packet, with active exploitation reported.","title":"Actively Exploited Integer Overflow in PgBouncer (CVE-2026-6664)","url":"https://feed.craftedsignal.io/briefs/2026-05-pgbouncer-overflow/"}],"language":"en","title":"CraftedSignal Threat Feed — CVE-2026-6664","version":"https://jsonfeed.org/version/1.1"}