Cyber Resilience

CVE-2026-6664

High

Published: 09 May 2026

Published
09 May 2026
Modified
14 May 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0005 16.9th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-6664 is a high-severity Integer Overflow or Wraparound (CWE-190) vulnerability in Pgbouncer Pgbouncer. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 16.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

An integer overflow in network packet parsing code in PgBouncer before 1.25.2 bypasses a boundary check and can lead to a crash. An unauthenticated remote attacker can crash PgBouncer with a malformed SCRAM authentication packet.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Integer overflow in unauthenticated network packet parsing enables remote crash of public-facing PgBouncer (T1190) via application exploitation for DoS (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-6665Same product: Pgbouncer Pgbouncer
CVE-2025-12819Same product: Pgbouncer Pgbouncer
CVE-2026-37555Shared CWE-190
CVE-2026-30910Shared CWE-190
CVE-2026-23833Shared CWE-190
CVE-2026-27889Shared CWE-190
CVE-2026-40046Shared CWE-190
CVE-2026-25970Shared CWE-190
CVE-2026-24214Shared CWE-190
CVE-2026-41605Shared CWE-190

Affected Assets

pgbouncer
pgbouncer
≤ 1.25.2

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References