PostgreSQL JDBC Client DOS via SCRAM Authentication Iteration

pgjdbc is an open source postgresql JDBC Driver. From version 42.2.0 to before version 42.7.11, pgjdbc is vulnerable to a client-side denial of service during SCRAM-SHA-256 authentication. A malicious server can instruct the driver to perform SCRAM authentication with a very large iteration count. With a large enough value, the client spends an unbounded amount of CPU time inside PBKDF2 before authentication can fail. A single attempt ties up a CPU core. Repeated or concurrent attempts exhaust client CPU and can wedge connection pools. In affected versions, loginTimeout did not fully mitigate this problem. When loginTimeout expired, the caller could stop waiting, but the worker thread performing the connection attempt could continue running and burning CPU inside the SCRAM PBKDF2 computation. This issue has been patched in version 42.7.11.

Casky was already ahead

This CVE exploits attack patterns that Casky's 312matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.

Analysis

pgjdbc versions 42.2.0 through 42.7.10 contain a client-side denial of service vulnerability in SCRAM-SHA-256 authentication handling. A malicious PostgreSQL server can force the JDBC driver to execute PBKDF2 key derivation with an arbitrarily large iteration count, consuming unbounded CPU resources on the client side before authentication fails. This affects any application using vulnerable pgjdbc versions to connect to untrusted or compromised PostgreSQL instances, making it particularly dangerous in environments where database endpoints may be attacker-controlled or network-intercepted. A single malicious connection attempt can exhaust an entire CPU core, and repeated attempts can render client systems unresponsive.

Casky's 312 matching skills leverage Claude's extended reasoning to detect the attack patterns mapped to TA0040 (Impact) and TA0011 (Command and Control) techniques. Practitioners using Casky would identify suspicious SCRAM authentication flows characterized by exponentially increasing iteration counts in authentication handshakes, abnormal CPU utilization spikes during database connection establishment, and timing anomalies in cryptographic operations. The platform's skill set enables detection of resource exhaustion patterns before system degradation occurs, allowing teams to implement connection validation logic, upgrade pgjdbc to version 42.7.11 or later, or implement network-level controls to restrict database connections to trusted servers. Extended reasoning helps correlate authentication telemetry with system performance metrics to distinguish legitimate authentication delays from malicious iteration amplification attacks.

Live Threat IntelligenceComing soon

Casky Risk Score

—

EPSS Probability

—

Shodan Exposure

—

GreyNoise Signal

—

Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →

312 Casky skills cover this attack pattern

These skills use Claude AI's reasoning model to surface findings in the same attack categories as CVE-2026-42198.

analyzing-android-malware-with-apktool

malware analysis · medium

Run

analyzing-apt-group-with-mitre-navigator

threat intelligence · low

Run

analyzing-bootkit-and-rootkit-samples

malware analysis · medium

Run

MITRE ATT&CK Techniques

TA0040 TA0011

Investigate the attack patterns behind CVE-2026-42198

Casky has 312 skills that investigate the attack patterns behind CVE-2026-42198. Run one and get CVSS-scored findings in 3 minutes.

Run the skill that detects this →

X Instagram LinkedIn