CVE-2026-42198
Published: 29 April 2026
Summary
CVE-2026-42198 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Postgresql Postgresql Jdbc Driver. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 8.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the known flaw in pgjdbc versions 42.2.0 to 42.7.10 by requiring timely patching to 42.7.11 or later.
Prevents or limits client-side denial-of-service from unbounded CPU consumption during SCRAM-SHA-256 PBKDF2 computations triggered by malicious servers.
Maintains resource availability by bounding CPU allocation during authentication processes to counter exhaustion attacks on connection pools.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables a malicious server to exploit the client's PBKDF2 computation during SCRAM-SHA-256 auth, causing unbounded CPU consumption and resource exhaustion on the endpoint without user interaction.
NVD Description
pgjdbc is an open source postgresql JDBC Driver. From version 42.2.0 to before version 42.7.11, pgjdbc is vulnerable to a client-side denial of service during SCRAM-SHA-256 authentication. A malicious server can instruct the driver to perform SCRAM authentication with a…
more
very large iteration count. With a large enough value, the client spends an unbounded amount of CPU time inside PBKDF2 before authentication can fail. A single attempt ties up a CPU core. Repeated or concurrent attempts exhaust client CPU and can wedge connection pools. In affected versions, loginTimeout did not fully mitigate this problem. When loginTimeout expired, the caller could stop waiting, but the worker thread performing the connection attempt could continue running and burning CPU inside the SCRAM PBKDF2 computation. This issue has been patched in version 42.7.11.
Deeper analysisAI
CVE-2026-42198 is a client-side denial-of-service vulnerability in pgjdbc, the open-source PostgreSQL JDBC Driver. It affects versions from 42.2.0 up to but not including 42.7.11. During SCRAM-SHA-256 authentication, a malicious server can specify a very large iteration count, causing the client to consume an unbounded amount of CPU time within the PBKDF2 computation before authentication fails. This ties up a CPU core per attempt and is linked to CWE-770 (Allocation of Resources Without Limits or Throttling), with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
An attacker controlling a PostgreSQL server, or able to trick a client application into connecting to one, can exploit this remotely without authentication or user interaction. A single connection attempt monopolizes a CPU core on the client side, while repeated or concurrent attempts exhaust available CPU resources and can wedge connection pools, leading to widespread denial of service. In affected versions, the loginTimeout parameter provides incomplete mitigation, as the worker thread continues the CPU-intensive PBKDF2 operation even after the timeout expires.
The vulnerability has been patched in pgjdbc version 42.7.11. Security practitioners should upgrade to this version or later. Additional details are available in the GitHub security advisory at https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-98qh-xjc8-98pq and the release notes at https://github.com/pgjdbc/pgjdbc/releases/tag/REL42.7.11.
Details
- CWE(s)