PT-2026-35952 · Pgjdbc+1 · Pgjdbc+1

Sehrope

Published

2026-04-29

Updated

2026-06-11

CVE-2026-42198

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions pgjdbc versions 42.2.0 through 42.7.10

Description A client-side denial of service occurs during SCRAM-SHA-256 authentication. A malicious server can force the driver to execute SCRAM authentication using an excessively large iteration count, causing the client to consume an unbounded amount of CPU time within the PBKDF2 (Password-Based Key Derivation Function 2) process. This can tie up a CPU core per attempt, and concurrent attempts may exhaust client CPU resources and freeze connection pools. The loginTimeout parameter does not fully mitigate this issue, as the worker thread may continue the PBKDF2 computation even after the timeout expires.

Recommendations Update to version 42.7.11.

Fix

DoS

Allocation of Resources Without Limits

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-770

Related Identifiers

ALSA-2026:25030

BIT-POSTGRESQL-JDBC-DRIVER-2026-42198

CLEANSTART-2026-GX01236

CLEANSTART-2026-PO27799

CLEANSTART-2026-VJ37814

CVE-2026-42198

GHSA-98QH-XJC8-98PQ

OESA-2026-2443

OESA-2026-2444

OESA-2026-2445

OESA-2026-2446

OESA-2026-2501

OPENSUSE-SU-2026:11001-1

RHSA-2026:22304

SUSE-SU-2026:22000-1

Affected Products

Rocky Linux

Pgjdbc

PT-2026-35952 · Pgjdbc+1 · Pgjdbc+1

CVE-2026-42198

Weakness Enumeration

Related Identifiers

Affected Products

References · 114