Cyber Resilience

CVE-2026-6665

High

Published: 09 May 2026

Published
09 May 2026
Modified
14 May 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0037 29.1th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-6665 is a high-severity Stack-based Buffer Overflow (CWE-121) vulnerability in Pgbouncer Pgbouncer. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 29.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

The SCRAM code in PgBouncer before 1.25.2 did not check the return value of strlcat() correctly when building the contents of the SCRAM client-final-message. A malicious backend that sends a SCRAM server-final-message with a long nonce can trigger a stack…

more

overflow.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

Stack overflow in PgBouncer client-side SCRAM handling triggered by malicious backend response directly enables remote code execution via client exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-6664Same product: Pgbouncer Pgbouncer
CVE-2025-12819Same product: Pgbouncer Pgbouncer
CVE-2025-54480Shared CWE-121
CVE-2025-69195Shared CWE-121
CVE-2026-43661Shared CWE-121
CVE-2019-25321Shared CWE-121
CVE-2026-33554Shared CWE-121
CVE-2024-34579Shared CWE-121
CVE-2020-37142Shared CWE-121
CVE-2026-1761Shared CWE-121

Affected Assets

pgbouncer
pgbouncer
≤ 1.25.2

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References