CVE-2025-12194 - Vulnerability Details

Uncontrolled Resource Consumption vulnerability in Legion of the Bouncy Castle Inc. Bouncy Castle for Java FIPS bc-fips on All (API modules), Legion of the Bouncy Castle Inc. Bouncy Castle for Java LTS bcprov-lts8on on All (API modules) allows Excessive Allocation. This vulnerability is associated with program files core/src/main/jdk1.9/org/bouncycastle/crypto/fips/AESNativeCFB.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/fips/AESNativeGCM.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/fips/SHA256NativeDigest.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/fips/AESNativeEngine.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/fips/AESNativeCBC.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/fips/AESNativeCTR.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/engines/AESNativeCFB.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/engines/AESNativeGCM.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/engines/AESNativeEngine.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/engines/AESNativeCBC.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/engines/AESNativeGCMSIV.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/engines/AESNativeCCM.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/engines/AESNativeCTR.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/digests/SHA256NativeDigest.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/digests/SHA224NativeDigest.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/digests/SHA3NativeDigest.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/digests/SHAKENativeDigest.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/digests/SHA512NativeDigest.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/digests/SHA384NativeDigest.Java.

This issue affects Bouncy Castle for Java FIPS: from 2.1.0 through 2.1.1; Bouncy Castle for Java LTS: from 2.73.0 through 2.73.7.

Attack Vector Local

Attack Complexity Low

Privileges Required None

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

No data.

Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902025%E2%80%9012194

History

Fri, 24 Oct 2025 23:15:00 +0000

Type	Values Removed	Values Added
Description	Uncontrolled Resource Consumption vulnerability in Legion of the Bouncy Castle Inc. Bouncy Castle for Java FIPS bc-fips on All (API modules), Legion of the Bouncy Castle Inc. Bouncy Castle for Java LTS bcprov-lts8on on All (API modules) allows Excessive Allocation. This vulnerability is associated with program files core/src/main/jdk1.9/org/bouncycastle/crypto/fips/AESNativeCFB.java, core/src/main/jdk1.9/org/bouncycastle/crypto/fips/AESNativeGCM.java, core/src/main/jdk1.9/org/bouncycastle/crypto/fips/SHA256NativeDigest.java, core/src/main/jdk1.9/org/bouncycastle/crypto/fips/AESNativeEngine.java, core/src/main/jdk1.9/org/bouncycastle/crypto/fips/AESNativeCBC.java, core/src/main/jdk1.9/org/bouncycastle/crypto/fips/AESNativeCTR.java, core/src/main/jdk1.9/org/bouncycastle/crypto/engines/AESNativeCFB.java, core/src/main/jdk1.9/org/bouncycastle/crypto/engines/AESNativeGCM.java, core/src/main/jdk1.9/org/bouncycastle/crypto/engines/AESNativeEngine.java, core/src/main/jdk1.9/org/bouncycastle/crypto/engines/AESNativeCBC.java, core/src/main/jdk1.9/org/bouncycastle/crypto/engines/AESNativeGCMSIV.java, core/src/main/jdk1.9/org/bouncycastle/crypto/engines/AESNativeCCM.java, core/src/main/jdk1.9/org/bouncycastle/crypto/engines/AESNativeCTR.java, core/src/main/jdk1.9/org/bouncycastle/crypto/digests/SHA256NativeDigest.java, core/src/main/jdk1.9/org/bouncycastle/crypto/digests/SHA224NativeDigest.java, core/src/main/jdk1.9/org/bouncycastle/crypto/digests/SHA3NativeDigest.java, core/src/main/jdk1.9/org/bouncycastle/crypto/digests/SHAKENativeDigest.java, core/src/main/jdk1.9/org/bouncycastle/crypto/digests/SHA512NativeDigest.java, core/src/main/jdk1.9/org/bouncycastle/crypto/digests/SHA384NativeDigest.java. This issue affects Bouncy Castle for Java FIPS: from 2.1.0 through 2.1.1; Bouncy Castle for Java LTS: from 2.73.0 through 3.73.7.	Uncontrolled Resource Consumption vulnerability in Legion of the Bouncy Castle Inc. Bouncy Castle for Java FIPS bc-fips on All (API modules), Legion of the Bouncy Castle Inc. Bouncy Castle for Java LTS bcprov-lts8on on All (API modules) allows Excessive Allocation. This vulnerability is associated with program files core/src/main/jdk1.9/org/bouncycastle/crypto/fips/AESNativeCFB.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/fips/AESNativeGCM.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/fips/SHA256NativeDigest.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/fips/AESNativeEngine.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/fips/AESNativeCBC.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/fips/AESNativeCTR.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/engines/AESNativeCFB.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/engines/AESNativeGCM.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/engines/AESNativeEngine.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/engines/AESNativeCBC.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/engines/AESNativeGCMSIV.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/engines/AESNativeCCM.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/engines/AESNativeCTR.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/digests/SHA256NativeDigest.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/digests/SHA224NativeDigest.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/digests/SHA3NativeDigest.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/digests/SHAKENativeDigest.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/digests/SHA512NativeDigest.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/digests/SHA384NativeDigest.Java. This issue affects Bouncy Castle for Java FIPS: from 2.1.0 through 2.1.1; Bouncy Castle for Java LTS: from 2.73.0 through 2.73.7.

Fri, 24 Oct 2025 23:00:00 +0000

Type	Values Removed	Values Added
Description		Uncontrolled Resource Consumption vulnerability in Legion of the Bouncy Castle Inc. Bouncy Castle for Java FIPS bc-fips on All (API modules), Legion of the Bouncy Castle Inc. Bouncy Castle for Java LTS bcprov-lts8on on All (API modules) allows Excessive Allocation. This vulnerability is associated with program files core/src/main/jdk1.9/org/bouncycastle/crypto/fips/AESNativeCFB.java, core/src/main/jdk1.9/org/bouncycastle/crypto/fips/AESNativeGCM.java, core/src/main/jdk1.9/org/bouncycastle/crypto/fips/SHA256NativeDigest.java, core/src/main/jdk1.9/org/bouncycastle/crypto/fips/AESNativeEngine.java, core/src/main/jdk1.9/org/bouncycastle/crypto/fips/AESNativeCBC.java, core/src/main/jdk1.9/org/bouncycastle/crypto/fips/AESNativeCTR.java, core/src/main/jdk1.9/org/bouncycastle/crypto/engines/AESNativeCFB.java, core/src/main/jdk1.9/org/bouncycastle/crypto/engines/AESNativeGCM.java, core/src/main/jdk1.9/org/bouncycastle/crypto/engines/AESNativeEngine.java, core/src/main/jdk1.9/org/bouncycastle/crypto/engines/AESNativeCBC.java, core/src/main/jdk1.9/org/bouncycastle/crypto/engines/AESNativeGCMSIV.java, core/src/main/jdk1.9/org/bouncycastle/crypto/engines/AESNativeCCM.java, core/src/main/jdk1.9/org/bouncycastle/crypto/engines/AESNativeCTR.java, core/src/main/jdk1.9/org/bouncycastle/crypto/digests/SHA256NativeDigest.java, core/src/main/jdk1.9/org/bouncycastle/crypto/digests/SHA224NativeDigest.java, core/src/main/jdk1.9/org/bouncycastle/crypto/digests/SHA3NativeDigest.java, core/src/main/jdk1.9/org/bouncycastle/crypto/digests/SHAKENativeDigest.java, core/src/main/jdk1.9/org/bouncycastle/crypto/digests/SHA512NativeDigest.java, core/src/main/jdk1.9/org/bouncycastle/crypto/digests/SHA384NativeDigest.java. This issue affects Bouncy Castle for Java FIPS: from 2.1.0 through 2.1.1; Bouncy Castle for Java LTS: from 2.73.0 through 3.73.7.
Weaknesses		CWE-400
References		https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902025%E2%80%9012194
Metrics		cvssV4_0 `{'score': 5.9, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/S:P/AU:N/R:U/V:C/RE:M/U:Amber'}`

MITRE

Status: PUBLISHED

Assigner: bcorg

Published: 2025-10-24T22:51:36.942Z

Updated: 2025-10-24T23:01:19.091Z

Reserved: 2025-10-24T20:54:20.444Z

Link: CVE-2025-12194

Vulnrichment

No data.

NVD

Status : Received

Published: 2025-10-24T23:15:39.277

Modified: 2025-10-24T23:15:39.277

Link: CVE-2025-12194

Redhat

No data.

OpenCVE Enrichment

No data.

Metrics

Attack Vector Local

Attack Complexity Low

Privileges Required None

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object