CVE-2026-6664 is a CISA KEV-confirmed integer overflow in PgBouncer’s SCRAM authentication packet parser that allows an unauthenticated remote attacker to crash the connection pooler with a single malformed packet. Any organization running PgBouncer prior to version 1.25.2 with the service exposed to untrusted networks faces immediate database connectivity disruption risk. The fix — upgrading to PgBouncer 1.25.2 — is available and straightforward.