Primary

Context

PgBouncer Stack Overflow Vulnerability in SCRAM Authentication Handling

Vulnerability

Patched

A stack overflow vulnerability has been identified in PgBouncer versions prior to 1.25.2, specifically within the SCRAM authentication process. The issue arises because the SCRAM code did not properly validate the return value of the strlcat() function when constructing the SCRAM client-final-message. This flaw can be exploited by a malicious backend that sends a SCRAM server-final-message containing a lengthy nonce.

Impact

Exploitation of this vulnerability leads to a stack overflow, which can potentially be exploited to execute arbitrary code or cause a denial-of-service condition by crashing the application.

Remediation

Users can upgrade to PgBouncer version 1.25.2 or later to address this vulnerability.

Added: May 9, 2026, 1:18 AM

Updated: May 9, 2026, 1:18 AM

Vulnerability Rating

Custom Algorithm

spread

5.7

impact

7.5

exploitability

6.4

remediation

7.7

relevance

7.7

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.7

impact

7.5

exploitability

6.4

remediation

7.7

relevance

7.7

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

PgBouncer Stack Overflow Vulnerability in SCRAM Authentication Handling

Vulnerability

Impact

Remediation

Affected Products

PgBouncer

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating