Hi,

The following vulnerabilities were published for pgbouncer.

CVE-2026-6664[0]:
| An integer overflow in network packet parsing code in PgBouncer
| before 1.25.2 bypasses a boundary check and can lead to a crash. An
| unauthenticated remote attacker can crash PgBouncer with a malformed
| SCRAM authentication packet.


CVE-2026-6665[1]:
| The SCRAM code in PgBouncer before 1.25.2 did not check the return
| value of strlcat() correctly when building the contents of the SCRAM
| client-final-message. A malicious backend that sends a SCRAM server-
| final-message with a long nonce can trigger a stack overflow.


CVE-2026-6666[2]:
| A possible null pointer reference in PgBouncer before 1.25.2 could
| lead to a crash, if a server sends an error response without
| SQLSTATE field.


CVE-2026-6667[3]:
| PgBouncer before 1.25.2 did not perform an appropriate authorization
| check for the KILL_CLIENT admin command. All users with access to
| the administration console (which itself requires authorization)
| could run this command. It would have been correct to allow only
| users listed in the admin_users parameter.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-6664
https://www.cve.org/CVERecord?id=CVE-2026-6664
[1] https://security-tracker.debian.org/tracker/CVE-2026-6665
https://www.cve.org/CVERecord?id=CVE-2026-6665
[2] https://security-tracker.debian.org/tracker/CVE-2026-6666
https://www.cve.org/CVERecord?id=CVE-2026-6666
[3] https://security-tracker.debian.org/tracker/CVE-2026-6667
https://www.cve.org/CVERecord?id=CVE-2026-6667

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore