CVE-2026-6665
Published: 09 May 2026
Summary
CVE-2026-6665 is a high-severity Stack-based Buffer Overflow (CWE-121) vulnerability in Pgbouncer Pgbouncer. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 29.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-28877
Vulnerability details
The SCRAM code in PgBouncer before 1.25.2 did not check the return value of strlcat() correctly when building the contents of the SCRAM client-final-message. A malicious backend that sends a SCRAM server-final-message with a long nonce can trigger a stack…
more
overflow.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stack overflow in PgBouncer client-side SCRAM handling triggered by malicious backend response directly enables remote code execution via client exploitation.
CVEs Like This One
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.