PatchSiren cyber security CVE debrief
CVE-2026-42198 pgjdbc CVE debrief
CVE-2026-42198 is a high-severity vulnerability in the PostgreSQL JDBC Driver (pgjdbc) that allows for a client-side denial of service during SCRAM-SHA-256 authentication. A malicious server can instruct the driver to perform SCRAM authentication with a very large iteration count, causing the client to spend an unbounded amount of CPU time inside PBKDF2 before authentication can fail. This issue has been patched in version 42.7.11. The vulnerability has a CVSS score of 7.5 and is considered high severity. The affected versions are from 42.2.0 to before 42.7.11.
- Vendor
- pgjdbc
- Product
- Unknown
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-04-29
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-04-29
- Advisory updated
- 2026-06-30
Who should care
Developers and administrators using the PostgreSQL JDBC Driver (pgjdbc) versions 42.2.0 to 42.7.10 should be aware of this vulnerability and take steps to mitigate it. This includes upgrading to version 42.7.11 or later, and ensuring that loginTimeout is properly configured. Additionally, defenders should monitor for potential exploitation attempts and implement compensating controls to prevent denial of service attacks.
Technical summary
The vulnerability exists in the PostgreSQL JDBC Driver (pgjdbc) versions 42.2.0 to 42.7.10. A malicious server can instruct the driver to perform SCRAM-SHA-256 authentication with a large iteration count, causing the client to spend excessive CPU time inside PBKDF2. This can lead to a client-side denial of service, potentially exhausting client CPU and wedging connection pools. The issue is patched in version 42.7.11. The loginTimeout configuration did not fully mitigate this problem, as the worker thread performing the connection attempt could continue running and burning CPU even after the timeout expired.
Defensive priority
High priority should be given to upgrading to version 42.7.11 or later. Defenders should also ensure that loginTimeout is properly configured and monitor for potential exploitation attempts.
Recommended defensive actions
- Upgrade to pgjdbc version 42.7.11 or later
- Ensure loginTimeout is properly configured
- Monitor for potential exploitation attempts
- Implement compensating controls to prevent denial of service attacks
- Review and update connection pool configurations
Evidence notes
The CVE-2026-42198 vulnerability was publicly disclosed on April 29, 2026, and has since been modified on June 30, 2026. The vulnerability has a CVSS score of 7.5 and is considered high severity. The affected versions are from 42.2.0 to before 42.7.11. The issue is patched in version 42.7.11.
Official resources
-
CVE-2026-42198 CVE record
CVE.org
-
CVE-2026-42198 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Release Notes
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article is AI-assisted and based on the supplied source corpus.