BIT-postgresql-jdbc-driver-2026-42198
Denial of service vulnerability in postgresql (Maven)
What is BIT-postgresql-jdbc-driver-2026-42198 About?
This vulnerability in pgjdbc leads to a client-side denial of service during SCRAM-SHA-256 authentication. A malicious server can cause the client to expend unbounded CPU time performing PBKDF2 computations, thereby exhausting client resources and potentially wedging connection pools. Exploitation requires specific conditions to be met, but can be triggered by a malicious or compromised PostgreSQL endpoint with moderate ease.
Affected Software
Technical Details
The vulnerability occurs when pgjdbc's SCRAM-SHA-256 authentication is used with a malicious, compromised, or attacker-controlled PostgreSQL endpoint. The malicious server sends a very large SCRAM PBKDF2 iteration count in the server-first-message. The client driver then attempts to perform the PBKDF2 computation using this excessively large iteration count, leading to an unbounded consumption of CPU resources on the client side. Even if a loginTimeout is set, the worker thread performing the connection attempt can continue running and consuming CPU, effectively leading to a denial of service for the client connection pool. This does not provide authentication bypass or privilege escalation, but severely impacts availability.
What is the Impact of BIT-postgresql-jdbc-driver-2026-42198?
Successful exploitation may allow attackers to exhaust client-side CPU resources, leading to client-side denial of service, stalled connection pools, and hindered application availability. This can render services unresponsive or completely unfunctional if connection attempts cannot complete.
What is the Exploitability of BIT-postgresql-jdbc-driver-2026-42198?
Exploitation complexity is moderate, requiring specific conditions. Prerequisites include the use of SCRAM-SHA-256 authentication and the client connecting to a malicious, compromised, or attacker-controlled PostgreSQL endpoint that sends a large PBKDF2 iteration count. No specific authentication is required on the client's part for the initial connection attempt that triggers the issue, as the attack occurs during the authentication negotiation phase. The attack is remote, as it involves communication between a client and a server. Special conditions include scenarios where applications accept untrusted connection details, connect to compromised servers, or operate in environments susceptible to network redirection or impersonation. Risk factors are increased by connection retries, many parallel connection attempts, or reliance on loginTimeout as a complete mitigation without patching.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for BIT-postgresql-jdbc-driver-2026-42198?
Available Upgrade Options
- org.postgresql:postgresql
- >=42.2.0, <42.7.11 → Upgrade to 42.7.11
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/pgjdbc/pgjdbc/releases/tag/REL42.7.11
- https://github.com/pgjdbc/pgjdbc/releases/tag/REL42.7.11
- https://github.com/pgjdbc/pgjdbc
- https://osv.dev/vulnerability/GHSA-98qh-xjc8-98pq
- https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-98qh-xjc8-98pq
- https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-98qh-xjc8-98pq
- https://nvd.nist.gov/vuln/detail/CVE-2026-42198
What are Similar Vulnerabilities to BIT-postgresql-jdbc-driver-2026-42198?
Similar Vulnerabilities: CVE-2023-34035 , CVE-2024-21626 , CVE-2023-44487 , CVE-2021-39181 , CVE-2016-0777
