pgjdbc Client-Side DoS: Malicious Servers Can Exhaust CPU via SCRAM-SHA-256
The National Vulnerability Database (NVD) has detailed CVE-2026-42198, a client-side denial of service vulnerability affecting pgjdbc, the open-source PostgreSQL JDBC driver. Versions from 42.2.0 up to, but not including, 42.7.11 are susceptible during SCRAM-SHA-256 authentication. A malicious PostgreSQL server can exploit this by instructing the driver to perform SCRAM authentication with an excessively large iteration count.
This high iteration count forces the client to spend an unbounded amount of CPU time within the PBKDF2 computation before authentication can fail. A single connection attempt can tie up an entire CPU core, and repeated or concurrent attempts will exhaust client CPU resources, potentially wedging connection pools. The NVD notes that the loginTimeout mechanism did not fully mitigate this issue in affected versions; while the caller might stop waiting, the worker thread would continue burning CPU cycles on the PBKDF2 calculation.
The vulnerability, rated with a CVSS score of 7.5 (HIGH), stems from a CWE-770 (Improper Limitation of a Resource). The fix is available in pgjdbc version 42.7.11. This isn’t just a theoretical issue; it’s a direct path to service disruption for any application relying on affected pgjdbc versions to connect to PostgreSQL databases, especially in environments where database credentials might be controlled by external or untrusted parties.
What This Means For You
- If your applications use the pgjdbc driver for PostgreSQL connections, you are exposed to a client-side denial of service. This isn't about your server being breached, but about your application clients becoming unresponsive. Immediately verify your pgjdbc version. Patch to 42.7.11 or later to mitigate CVE-2026-42198 and prevent malicious or compromised PostgreSQL servers from crippling your client applications.
Related ATT&CK Techniques
🛡️ Detection Rules
2 rules · 6 SIEM formats2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-42198 - pgjdbc SCRAM-SHA-256 CPU Exhaustion
title: CVE-2026-42198 - pgjdbc SCRAM-SHA-256 CPU Exhaustion
id: scw-2026-04-29-ai-1
status: experimental
level: high
description: |
Detects potential exploitation of CVE-2026-42198 by identifying Java processes attempting SCRAM-SHA-256 authentication with pgjdbc. A malicious PostgreSQL server can exploit this vulnerability by sending a very large iteration count during SCRAM-SHA-256 authentication, causing the client (pgjdbc) to consume excessive CPU resources. This rule looks for Java processes that might be involved in such authentication attempts, which could lead to a denial of service by exhausting client CPU and connection pools.
author: SCW Feed Engine (AI-generated)
date: 2026-04-29
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-42198/
tags:
- attack.impact
- attack.t1499
logsource:
category: authentication
detection:
selection:
Image|contains:
- 'java.exe'
CommandLine|contains:
- '-Dpgjdbc.ssl=true'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-42198 | DoS | pgjdbc versions 42.2.0 to 42.7.10 |
| CVE-2026-42198 | DoS | Client-side denial of service during SCRAM-SHA-256 authentication |
| CVE-2026-42198 | DoS | Vulnerable to malicious server instructing large SCRAM iteration count |
| CVE-2026-42198 | DoS | PBKDF2 computation with unbounded CPU time |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | April 29, 2026 at 19:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-7389: EyouCMS SQL Injection Vulnerability Exposed
CVE-2026-7389 — A security vulnerability has been detected in EyouCMS up to 1.7.9. The affected element is the function GetSortData of the file application/common.php. The...
CVE-2026-7388 — A weakness has been identified in EyouCMS up to 1.7.9.
CVE-2026-7388 — A weakness has been identified in EyouCMS up to 1.7.9. Impacted is the function editFile of the file application/admin/logic/FilemanagerLogic.php of the component Template...
CVE-2026-7386: fatbobman mail-mcp-bridge Path Traversal Vulnerability
CVE-2026-7386 — A flaw has been found in fatbobman mail-mcp-bridge up to 1.3.3. Affected is an unknown function of the file src/mail_mcp_server.py. Executing a manipulation...