Copyright © 2012 Red Hat, Inc. All rights reserved. Important 2026-04-29T15:58:49 jdbc.postgresql.org: pgjdbc: Client-side Denial of Service via malicious SCRAM-SHA-256 authentication 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CWE-770

A flaw was found in pgjdbc, an open-source PostgreSQL JDBC Driver. A malicious server can exploit this vulnerability by instructing the driver to perform SCRAM-SHA-256 (Salted Challenge Response Authentication Mechanism Secure Hash Algorithm 256) authentication with an excessively large iteration count. This causes the client to spend an unbounded amount of CPU time performing PBKDF2 (Password-Based Key Derivation Function 2) computations, leading to a client-side Denial of Service (DoS). This can exhaust client CPU resources and wedge connection pools.

Red Hat build of Quarkus Affected pgjdbc Red Hat Enterprise Linux 10 Affected postgresql-jdbc Red Hat Enterprise Linux 6 Will not fix postgresql-jdbc Red Hat Enterprise Linux 7 Affected postgresql-jdbc Red Hat Enterprise Linux 8 Affected postgresql-jdbc Red Hat Enterprise Linux 9 Affected postgresql-jdbc https://www.cve.org/CVERecord?id=CVE-2026-42198 https://nvd.nist.gov/vuln/detail/CVE-2026-42198 https://github.com/pgjdbc/pgjdbc/releases/tag/REL42.7.11 https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-98qh-xjc8-98pq