Cyber Resilience

CVE-2026-42198

HighDDoS

Published: 29 April 2026

Published
29 April 2026
Modified
01 May 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0004 13.5th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-42198 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Postgresql Postgresql Jdbc Driver. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 13.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).

Deeper analysis

CVE-2026-42198 is a client-side denial-of-service vulnerability in pgjdbc, the open-source PostgreSQL JDBC Driver. It affects versions from 42.2.0 up to but not including 42.7.11. During SCRAM-SHA-256 authentication, a malicious server can specify a very large iteration count, causing the client to consume an unbounded amount of CPU time within the PBKDF2 computation before authentication fails. This ties up a CPU core per attempt and is linked to CWE-770 (Allocation of Resources Without Limits or Throttling), with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

An attacker controlling a PostgreSQL server, or able to trick a client application into connecting to one, can exploit this remotely without authentication or user interaction. A single connection attempt monopolizes a CPU core on the client side, while repeated or concurrent attempts exhaust available CPU resources and can wedge connection pools, leading to widespread denial of service. In affected versions, the loginTimeout parameter provides incomplete mitigation, as the worker thread continues the CPU-intensive PBKDF2 operation even after the timeout expires.

The vulnerability has been patched in pgjdbc version 42.7.11. Security practitioners should upgrade to this version or later. Additional details are available in the GitHub security advisory at https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-98qh-xjc8-98pq and the release notes at https://github.com/pgjdbc/pgjdbc/releases/tag/REL42.7.11.

EU & UK References

Vulnerability details

pgjdbc is an open source postgresql JDBC Driver. From version 42.2.0 to before version 42.7.11, pgjdbc is vulnerable to a client-side denial of service during SCRAM-SHA-256 authentication. A malicious server can instruct the driver to perform SCRAM authentication with a…

more

very large iteration count. With a large enough value, the client spends an unbounded amount of CPU time inside PBKDF2 before authentication can fail. A single attempt ties up a CPU core. Repeated or concurrent attempts exhaust client CPU and can wedge connection pools. In affected versions, loginTimeout did not fully mitigate this problem. When loginTimeout expired, the caller could stop waiting, but the worker thread performing the connection attempt could continue running and burning CPU inside the SCRAM PBKDF2 computation. This issue has been patched in version 42.7.11.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

The vulnerability enables a malicious server to exploit the client's PBKDF2 computation during SCRAM-SHA-256 auth, causing unbounded CPU consumption and resource exhaustion on the endpoint without user interaction.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-6479Same vendor: Postgresql
CVE-2021-47877Shared CWE-770
CVE-2026-3260Shared CWE-770
CVE-2025-66560Shared CWE-770
CVE-2025-68136Shared CWE-770
CVE-2020-37038Shared CWE-770
CVE-2025-36070Shared CWE-770
CVE-2021-47791Shared CWE-770
CVE-2021-47876Shared CWE-770
CVE-2019-25342Shared CWE-770

Affected Assets

postgresql
postgresql jdbc driver
42.2.0 — 42.7.11

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the known flaw in pgjdbc versions 42.2.0 to 42.7.10 by requiring timely patching to 42.7.11 or later.

prevent

Prevents or limits client-side denial-of-service from unbounded CPU consumption during SCRAM-SHA-256 PBKDF2 computations triggered by malicious servers.

prevent

Maintains resource availability by bounding CPU allocation during authentication processes to counter exhaustion attacks on connection pools.

References