PT-2026-40289 — Bitnami Pgbouncer

PT-2026-40289 · Bitnami · Pgbouncer

Published

2026-05-12

Updated

2026-05-12

None

No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.

The SCRAM code in PgBouncer before 1.25.2 did not check the return value of strlcat() correctly when building the contents of the SCRAM client-final-message. A malicious backend that sends a SCRAM server-final-message with a long nonce can trigger a stack overflow.

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

BIT-PGBOUNCER-2026-6665

Affected Products

Pgbouncer