DEBIAN-CVE-2026-42198

See a problem?
Please try reporting it to the source first.

Source

https://security-tracker.debian.org/tracker/CVE-2026-42198

Import Source

https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-42198.json

JSON Data

https://api.osv.dev/v1/vulns/DEBIAN-CVE-2026-42198

Upstream

CVE-2026-42198

Published

2026-04-29T16:16:25.427Z

Modified

2026-05-02T12:00:17.400505Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

[none]

Details

pgjdbc is an open source postgresql JDBC Driver. From version 42.2.0 to before version 42.7.11, pgjdbc is vulnerable to a client-side denial of service during SCRAM-SHA-256 authentication. A malicious server can instruct the driver to perform SCRAM authentication with a very large iteration count. With a large enough value, the client spends an unbounded amount of CPU time inside PBKDF2 before authentication can fail. A single attempt ties up a CPU core. Repeated or concurrent attempts exhaust client CPU and can wedge connection pools. In affected versions, loginTimeout did not fully mitigate this problem. When loginTimeout expired, the caller could stop waiting, but the worker thread performing the connection attempt could continue running and burning CPU inside the SCRAM PBKDF2 computation. This issue has been patched in version 42.7.11.

References

https://security-tracker.debian.org/tracker/CVE-2026-42198

Affected packages

Debian:11 / libpgjava

Package

Name: libpgjava
Purl: pkg:deb/debian/libpgjava?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

42.*

42.2.15-1

42.2.15-1+deb11u1

42.2.15-1+deb11u2

42.2.20-1

42.2.22-1

42.2.23-1

42.2.24-1

42.3.1-1

42.3.2-1

42.3.3-1

42.3.4-1

42.3.5-1

42.3.6-1

42.4.0-1

42.4.1-1

42.4.2-1

42.5.0-1

42.5.1-1

42.5.3-1

42.5.4-1

42.6.0-1

42.6.0-2

42.7.0-1

42.7.1-1

42.7.2-1

42.7.3-1

42.7.3-2

42.7.5-1

42.7.5-2

42.7.6-1

42.7.7-1

42.7.7-2

42.7.8-1

42.7.8-2

42.7.9-1

42.7.10-1

42.7.11-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-42198.json"

Debian:12 / libpgjava

Package

Name: libpgjava
Purl: pkg:deb/debian/libpgjava?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

42.*

42.5.4-1

42.5.5-0+deb12u1

42.6.0-1

42.6.0-2

42.7.0-1

42.7.1-1

42.7.2-1

42.7.3-1

42.7.3-2

42.7.5-1

42.7.5-2

42.7.6-1

42.7.7-1

42.7.7-2

42.7.8-1

42.7.8-2

42.7.9-1

42.7.10-1

42.7.11-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-42198.json"

Debian:13 / libpgjava

Package

Name: libpgjava
Purl: pkg:deb/debian/libpgjava?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

42.*

42.7.7-1

42.7.7-2

42.7.8-1

42.7.8-2

42.7.9-1

42.7.10-1

42.7.11-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-42198.json"

Debian:14 / libpgjava

Package

Name: libpgjava
Purl: pkg:deb/debian/libpgjava?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

42.7.11-1

Affected versions

42.*

42.7.7-1

42.7.7-2

42.7.8-1

42.7.8-2

42.7.9-1

42.7.10-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-42198.json"