CVE-2026-42198
Description
RHSA-2026:22304: postgresql-jdbc security update (Important)
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Mitigation details
Description jdbc.postgresql.org: pgjdbc: Client-side Denial of Service via malicious SCRAM-SHA-256 authentication CVSS v3: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) Errata / fixed releases ProductPackageAdvisoryReleased Red Hat build of Quarkus 3.27.3.SP2pgjdbcRHSA-2026:190982026-05-20T00:00:00Z Red Hat Enterprise Linuxβ¦
Description
jdbc.postgresql.org: pgjdbc: Client-side Denial of Service via malicious SCRAM-SHA-256 authentication
CVSS v3: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Errata / fixed releases
| Product | Package | Advisory | Released |
|---|---|---|---|
| Red Hat build of Quarkus 3.27.3.SP2 | pgjdbc | RHSA-2026:19098 | 2026-05-20T00:00:00Z |
| Red Hat Enterprise Linux 9 | postgresql-jdbc-0:42.2.28-2.el9_8.2 | RHSA-2026:22304 | 2026-06-01T00:00:00Z |
Package state
| Product | Package | State |
|---|---|---|
| Red Hat Enterprise Linux 10 | postgresql-jdbc | Affected |
| Red Hat Enterprise Linux 6 | postgresql-jdbc | Will not fix |
| Red Hat Enterprise Linux 7 | postgresql-jdbc | Affected |
| Red Hat Enterprise Linux 8 | postgresql-jdbc | Affected |
Apply commands
yum update -y pgjdbc
# or:
dnf upgrade -y pgjdbcAffected
| Vendor | Product | Version |
|---|---|---|
| redhat | Red Hat Enterprise Linux 10 | Affected |
| redhat | Red Hat Enterprise Linux 7 | Affected |
| redhat | Red Hat Enterprise Linux 8 | Affected |
OS impact
SUSE Affected 1 release
| Version | Status | Fixed in |
|---|---|---|
| β | Affected | β |
Debian Mixed 5 releases
| Version | Status | Fixed in |
|---|---|---|
| trixie | Affected | β |
| sid | Fixed | 42.7.11-1 |
| forky | Fixed | 42.7.11-1 |
| bullseye | Affected | β |
| bookworm | Affected | β |
Red Hat Fixed 1 release
| Version | Status | Fixed in |
|---|---|---|
| 9 | Fixed | β |
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| Maven | org.postgresql:postgresql | >=42.2.0,<42.7.11 | 42.7.11 |
| MAVEN | org.postgresql:postgresql | >= 42.2.0, < 42.7.11 | 42.7.11 |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| postgresql | postgresql_jdbc_driver | {"startIncluding":"42.2.0","endExcluding":"42.7.11"} | 42.7.11 |
References
- https://github.com/pgjdbc/pgjdbc/releases/tag/REL42.7.11
- https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-98qh-xjc8-98pq
- https://nvd.nist.gov/vuln/detail/CVE-2026-42198
- https://github.com/pgjdbc/pgjdbc
- https://security-tracker.debian.org/tracker/CVE-2026-42198
- https://www.suse.com/security/cve/CVE-2026-42198.html
- https://github.com/advisories/GHSA-98qh-xjc8-98pq
- https://access.redhat.com/errata/RHSA-2026:22304
CWEs
CWE-770
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.