Description
Allocation of resources without limits or throttling vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcpg on all (pg modules).This issue affects BC-JAVA: before 1.84.

Unbounded PGP AEAD chunk size leads to pre-auth resource exhaustion.
Published: 2026-04-15
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Pre‑authentication Resource Exhaustion
Action: Apply patch
AI Analysis

Impact

Bouncy Castle’s BC‑JAVA library allows creating PGP AEAD objects without limiting the chunk size that is processed. An attacker can craft an input file with extremely large chunk sizes, forcing the library to allocate memory or other resources before any authentication happens. This uncontrolled allocation can exhaust server memory or swap, leading to denial of service or a crash. The weakness matches CWE‑770 (Resource Exhaustion) and CWE‑400 (Uncontrolled Resource Consumption).

Affected Systems

The vulnerability affects all Bouncy Castle BC‑JAVA bcpg implementations before version 1.84. Any system that processes PGP data with an affected library version could be impacted.

Risk and Exploitability

The CVSS score is 8.7, indicating high severity. EPSS is not available, so current exploitation probability cannot be quantified, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is through crafted PGP data sent to an application that uses the vulnerable library; the attacker needs only to transmit a malicious file before authentication to trigger the exhaustion. Because memory allocation is unbounded, the impact can range from a local resource drain to a full denial of service against the affected system.

Generated by OpenCVE AI on April 15, 2026 at 12:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Bouncy Castle BC‑JAVA to version 1.84 or later to eliminate the unbounded chunk size processing
  • If an immediate upgrade is not possible, restrict access to the application from trusted IPs or implement network‑level rate limiting to mitigate the large input attack
  • Deploy application‑level resource limits (e.g., memory caps or ulimits) and monitor for anomalous memory usage patterns to prevent exhaustion from occurring

Generated by OpenCVE AI on April 15, 2026 at 12:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Bouncycastle
Bouncycastle bc-java
Vendors & Products Bouncycastle
Bouncycastle bc-java

Wed, 15 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 15 Apr 2026 11:00:00 +0000

Type Values Removed Values Added
Metrics cvssV4_0

{'score': 10, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

 cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Wed, 15 Apr 2026 10:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-400
References

Wed, 15 Apr 2026 09:30:00 +0000

Type Values Removed Values Added
Description Allocation of resources without limits or throttling vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcpg on all (pg modules).This issue affects BC-JAVA: before 1.84. Unbounded PGP AEAD chunk size leads to pre-auth resource exhaustion.
Title Unbounded PGP AEAD chunk size leads to pre-auth resource exhaustion.
Weaknesses CWE-770
References
Metrics cvssV4_0

{'score': 10, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Bouncycastle Bc-java
cve-icon MITRE

Status: PUBLISHED

Assigner: bcorg

Published:

Updated: 2026-04-15T13:10:55.206Z

Reserved: 2026-03-04T00:44:50.028Z

Link: CVE-2026-3505

cve-icon Vulnrichment

Updated: 2026-04-15T13:10:51.998Z

cve-icon NVD

Status : Received

Published: 2026-04-15T10:16:49.133

Modified: 2026-04-15T11:16:35.413

Link: CVE-2026-3505

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T14:53:07Z

Weaknesses