Description
pgjdbc is an open source postgresql JDBC Driver. From version 42.2.0 to before version 42.7.11, pgjdbc is vulnerable to a client-side denial of service during SCRAM-SHA-256 authentication. A malicious server can instruct the driver to perform SCRAM authentication with a very large iteration count. With a large enough value, the client spends an unbounded amount of CPU time inside PBKDF2 before authentication can fail. A single attempt ties up a CPU core. Repeated or concurrent attempts exhaust client CPU and can wedge connection pools. In affected versions, loginTimeout did not fully mitigate this problem. When loginTimeout expired, the caller could stop waiting, but the worker thread performing the connection attempt could continue running and burning CPU inside the SCRAM PBKDF2 computation. This issue has been patched in version 42.7.11.
Published: 2026-04-29
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The bug resides in the PostgreSQL JDBC driver, where a malicious server can instruct a client during SCRAM‑SHA‑256 authentication to use an extremely high PBKDF2 iteration count. The driver dutifully executes the iteration count without bounds, causing the client to spend an unbounded amount of CPU time in the PBKDF2 routine before the authentication fails. One such attempt consumes an entire CPU core; repeated or concurrent attempts can tie up all available cores, effectively halting application traffic or stalling connection pools. This flaw is a classic example of uncontrolled resource consumption (CWE‑770).

Affected Systems

The vulnerability affects the pgjdbc driver from version 42.2.0 through the pre‑42.7.11 releases. The fix was introduced in release 42.7.11. Any application that depends on the vulnerable JDBC driver when connecting to a PostgreSQL server capable of dictating SCRAM iteration count is at risk.

Risk and Exploitability

The CVSS score of 7.5 reflects a high impact denial‑of‑service flaw. EPSS is unavailable, and the issue is not listed as a known exploited vulnerability in CISA KEV. An attacker requires control over the PostgreSQL server that the client connects to; by sending an authentication challenge with a huge iteration count the server forces the client to spend excessive CPU cycles. Because the driver performs the work in a worker thread that continues after the login timeout expires, the attack is not mitigated by connection‑timeout settings. In environments that rely on connection pools or high‑throughput services, this flaw can degrade performance or cause outages with repeated execution.

Generated by OpenCVE AI on April 29, 2026 at 21:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the pgjdbc driver to version 42.7.11 or later.
  • If upgrading is delayed, configure the PostgreSQL server to use a reasonable SCRAM iteration count or disable SCRAM authentication for clients using older driver versions.
  • Consider switching to an alternative authentication method such as plain password authentication for legacy applications that cannot immediately upgrade.

Generated by OpenCVE AI on April 29, 2026 at 21:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 29 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 29 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Pgjdbc
Pgjdbc pgjdbc
Vendors & Products Pgjdbc
Pgjdbc pgjdbc

Wed, 29 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Description pgjdbc is an open source postgresql JDBC Driver. From version 42.2.0 to before version 42.7.11, pgjdbc is vulnerable to a client-side denial of service during SCRAM-SHA-256 authentication. A malicious server can instruct the driver to perform SCRAM authentication with a very large iteration count. With a large enough value, the client spends an unbounded amount of CPU time inside PBKDF2 before authentication can fail. A single attempt ties up a CPU core. Repeated or concurrent attempts exhaust client CPU and can wedge connection pools. In affected versions, loginTimeout did not fully mitigate this problem. When loginTimeout expired, the caller could stop waiting, but the worker thread performing the connection attempt could continue running and burning CPU inside the SCRAM PBKDF2 computation. This issue has been patched in version 42.7.11.
Title pgjdbc: Unbounded PBKDF2 iterations in SCRAM authentication allows CPU exhaustion DoS
Weaknesses CWE-770
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Pgjdbc Pgjdbc
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-29T18:32:01.348Z

Reserved: 2026-04-25T05:04:37.027Z

Link: CVE-2026-42198

cve-icon Vulnrichment

Updated: 2026-04-29T18:00:39.451Z

cve-icon NVD

Status : Received

Published: 2026-04-29T16:16:25.427

Modified: 2026-04-29T16:16:25.427

Link: CVE-2026-42198

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T21:30:20Z

Weaknesses