{
  "threat_severity" : "Important",
  "public_date" : "2026-04-29T15:58:49Z",
  "bugzilla" : {
    "description" : "jdbc.postgresql.org: pgjdbc: Client-side Denial of Service via malicious SCRAM-SHA-256 authentication",
    "id" : "2463857",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2463857"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
    "status" : "draft"
  },
  "cwe" : "CWE-770",
  "details" : [ "A flaw was found in pgjdbc, an open-source PostgreSQL JDBC Driver. A malicious server can exploit this vulnerability by instructing the driver to perform SCRAM-SHA-256 (Salted Challenge Response Authentication Mechanism Secure Hash Algorithm 256) authentication with an excessively large iteration count. This causes the client to spend an unbounded amount of CPU time performing PBKDF2 (Password-Based Key Derivation Function 2) computations, leading to a client-side Denial of Service (DoS). This can exhaust client CPU resources and wedge connection pools." ],
  "package_state" : [ {
    "product_name" : "Red Hat build of Quarkus",
    "fix_state" : "Affected",
    "package_name" : "pgjdbc",
    "cpe" : "cpe:/a:redhat:quarkus:3"
  }, {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Affected",
    "package_name" : "postgresql-jdbc",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Affected",
    "package_name" : "postgresql-jdbc",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Affected",
    "package_name" : "postgresql-jdbc",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Affected",
    "package_name" : "postgresql-jdbc",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "postgresql-jdbc",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-42198\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-42198\nhttps://github.com/pgjdbc/pgjdbc/releases/tag/REL42.7.11\nhttps://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-98qh-xjc8-98pq" ],
  "name" : "CVE-2026-42198",
  "csaw" : false
}