CVE-2026-42198

Name of the Vulnerable Software and Affected Versions pgjdbc versions 42.2.0 through 42.7.10

Description A client-side denial of service occurs during SCRAM-SHA-256 authentication. A malicious server can force the driver to execute SCRAM authentication using an excessively large iteration count, causing the client to consume an unbounded amount of CPU time within the PBKDF2 (Password-Based Key Derivation Function 2) process. This can tie up a CPU core per attempt, and concurrent attempts may exhaust client CPU resources and freeze connection pools. The loginTimeout parameter does not fully mitigate this issue, as the worker thread may continue the PBKDF2 computation even after the timeout expires.

Recommendations Update to version 42.7.11.