High severity8.1NVD Advisory· Published May 9, 2026· Updated May 14, 2026
CVE-2026-6665
CVE-2026-6665
Description
The SCRAM code in PgBouncer before 1.25.2 did not check the return value of strlcat() correctly when building the contents of the SCRAM client-final-message. A malicious backend that sends a SCRAM server-final-message with a long nonce can trigger a stack overflow.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
9- osv-coords7 versionspkg:apk/chainguard/pgbouncerpkg:apk/chainguard/pgbouncer-docpkg:apk/chainguard/pgbouncer-iamguarded-compatpkg:apk/wolfi/pgbouncerpkg:apk/wolfi/pgbouncer-docpkg:apk/wolfi/pgbouncer-iamguarded-compatpkg:bitnami/pgbouncer
< 1.25.2-r0+ 6 more
- (no CPE)range: < 1.25.2-r0
- (no CPE)range: < 1.25.2-r0
- (no CPE)range: < 1.25.2-r0
- (no CPE)range: < 1.25.2-r0
- (no CPE)range: < 1.25.2-r0
- (no CPE)range: < 1.25.2-r0
- (no CPE)range: < 1.25.2
Patches
Vulnerability mechanics
References
1- www.pgbouncer.org/changelog.htmlnvdRelease Notes
News mentions
1- Patch Tuesday - May 2026Rapid7 Blog · May 13, 2026