PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-42198 pgjdbc CVE debrief

CVE-2026-42198 is a high-severity vulnerability in the PostgreSQL JDBC Driver (pgjdbc) that allows for a client-side denial of service during SCRAM-SHA-256 authentication. A malicious server can instruct the driver to perform SCRAM authentication with a very large iteration count, causing the client to spend an unbounded amount of CPU time inside PBKDF2 before authentication can fail. This issue has been patched in version 42.7.11. The vulnerability has a CVSS score of 7.5 and is considered high severity. The affected versions are from 42.2.0 to before 42.7.11.

Vendor
pgjdbc
Product
Unknown
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-29
Original CVE updated
2026-06-30
Advisory published
2026-04-29
Advisory updated
2026-06-30

Who should care

Developers and administrators using the PostgreSQL JDBC Driver (pgjdbc) versions 42.2.0 to 42.7.10 should be aware of this vulnerability and take steps to mitigate it. This includes upgrading to version 42.7.11 or later, and ensuring that loginTimeout is properly configured. Additionally, defenders should monitor for potential exploitation attempts and implement compensating controls to prevent denial of service attacks.

Technical summary

The vulnerability exists in the PostgreSQL JDBC Driver (pgjdbc) versions 42.2.0 to 42.7.10. A malicious server can instruct the driver to perform SCRAM-SHA-256 authentication with a large iteration count, causing the client to spend excessive CPU time inside PBKDF2. This can lead to a client-side denial of service, potentially exhausting client CPU and wedging connection pools. The issue is patched in version 42.7.11. The loginTimeout configuration did not fully mitigate this problem, as the worker thread performing the connection attempt could continue running and burning CPU even after the timeout expired.

Defensive priority

High priority should be given to upgrading to version 42.7.11 or later. Defenders should also ensure that loginTimeout is properly configured and monitor for potential exploitation attempts.

Recommended defensive actions

  • Upgrade to pgjdbc version 42.7.11 or later
  • Ensure loginTimeout is properly configured
  • Monitor for potential exploitation attempts
  • Implement compensating controls to prevent denial of service attacks
  • Review and update connection pool configurations

Evidence notes

The CVE-2026-42198 vulnerability was publicly disclosed on April 29, 2026, and has since been modified on June 30, 2026. The vulnerability has a CVSS score of 7.5 and is considered high severity. The affected versions are from 42.2.0 to before 42.7.11. The issue is patched in version 42.7.11.

Official resources

This article is AI-assisted and based on the supplied source corpus.