Attack Chain

1. Attacker identifies a vulnerable PgBouncer instance running a version prior to 1.25.2.
2. Attacker crafts a malicious SCRAM authentication packet specifically designed to trigger the integer overflow.
3. Attacker sends the crafted SCRAM packet to the vulnerable PgBouncer instance.
4. PgBouncer processes the packet, and the integer overflow occurs during the handling of network package sizes.
5. The integer overflow leads to a bypass of boundary checks in the network packet processing logic.
6. Due to the bypassed boundary checks, the application attempts to access an invalid memory location.
7. The invalid memory access causes a system crash, resulting in a denial-of-service.
8. The PgBouncer service becomes unavailable, disrupting applications relying on database connections managed by PgBouncer.

Impact

Exploitation of CVE-2026-6664 results in a denial-of-service condition, impacting the availability of systems utilizing vulnerable PgBouncer instances. While confidentiality and integrity are not directly affected, the disruption of database connections can severely impact applications and services that rely on PostgreSQL databases. There are reports of active exploitation of this vulnerability. Organizations failing to patch are at risk of service disruption.

Recommendation

• Immediately patch all PgBouncer instances to version 1.25.2 or later to remediate CVE-2026-6664 (https://www.pgbouncer.org/changelog.html#pgbouncer-125x).
• Implement and tune the Sigma rule “Detect CVE-2026-6664 Exploitation Attempt - Malformed SCRAM Packet” to identify potentially malicious SCRAM authentication packets targeting PgBouncer instances.
• Monitor network traffic for abnormally sized or malformed SCRAM authentication packets directed at PgBouncer instances as described in the vulnerability description.
• Review the vulnerability details provided by NIST (https://nvd.nist.gov/vuln/detail/CVE-2026-6664) and Exploit-DB (https://exploit-intel.com/vuln/CVE-2026-6664) for more information.