CVE-2026-3293
Received Received - Intake
Inefficient Regex Complexity in Snowflake-JDBC SdkProxyRoutePlanner

Publication date: 2026-02-27

Last updated on: 2026-04-29

Assigner: VulDB

Description
A weakness has been identified in snowflakedb snowflake-jdbc up to 4.0.1. Impacted is the function SdkProxyRoutePlanner of the file src/main/java/net/snowflake/client/internal/core/SdkProxyRoutePlanner.java of the component JDBC URL Handler. Executing a manipulation of the argument nonProxyHosts can lead to inefficient regular expression complexity. The attack can only be executed locally. The exploit has been made available to the public and could be used for attacks. This patch is called 5fb0a8a318a2ed87f4022a1f56e742424ba94052. A patch should be applied to remediate this issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-27
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-02-27
EPSS Evaluated
2026-06-14
NVD
CVE-2026-3293
EUVD
EUVD-2026-9002
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
snowflake snowflake_jdbc to 4.0.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
CWE-1333 The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the snowflake-jdbc component, specifically in the SdkProxyRoutePlanner function of the JDBC URL Handler. It involves manipulation of the argument nonProxyHosts, which can cause inefficient regular expression complexity. This means that if an attacker manipulates this argument locally, it could lead to performance issues or resource exhaustion due to the way regular expressions are processed.

The vulnerability can only be exploited locally and the exploit code has been made publicly available. A patch has been released to fix this issue.

Impact Analysis

The impact of this vulnerability is primarily a denial of service through inefficient regular expression processing, which can degrade system performance or cause resource exhaustion.

Since the attack requires local access, it limits the risk to users or attackers who already have some level of access to the system.

The CVSS scores indicate a low to moderate impact, with no confidentiality or integrity loss, but potential availability impact.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, you should apply the patch identified as 5fb0a8a318a2ed87f4022a1f56e742424ba94052 to the snowflake-jdbc component.

Since the attack can only be executed locally, ensure that local access to the affected system is properly controlled and restricted.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3293. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart