Description
Allocation of resources without limits or throttling, Uncontrolled Resource Consumption vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcpg on all (pg modules). This vulnerability is associated with program files AEADEncDataPacket.Java, BcAEADUtil.Java, JceAEADUtil.Java, OperatorHelper.Java.

This issue affects BC-JAVA: from 1.74 before 1.84.
Published: 2026-04-15
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Pre‑authentication Resource Exhaustion
Action: Apply patch
AI Analysis

Impact

Bouncy Castle’s BC‑JAVA library processes PGP AEAD packets with an unbounded chunk size, leading to uncontrolled memory allocation before any authentication verification. An attacker can supply a crafted PGP data file that forces the library to reserve large amounts of memory or other system resources, causing resource exhaustion, crashes, or denial of service. This uncontrolled resource consumption reflects CWE‑400 (Uncontrolled Resource Consumption) and the broader Resource Exhaustion weakness CWE‑770.

Affected Systems

The vulnerability affects all Bouncy Castle BC‑JAVA bcpg implementations before version 1.84. Any system that processes PGP data with an affected library version could be impacted.

Risk and Exploitability

The CVSS score is 8.7, indicating high severity. The EPSS score of 0.00055 (<1%) suggests a low exploitation probability, although it is not zero. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is through crafted PGP data sent to an application that uses the vulnerable library; the attacker needs only to transmit a malicious file before authentication to trigger the exhaustion. Because memory allocation is unbounded, the impact can range from a local resource drain to a full denial of service against the affected system.

Generated by OpenCVE AI on April 22, 2026 at 03:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Bouncy Castle BC‑JAVA to version 1.84 or later to eliminate the unbounded chunk size processing
  • If an immediate upgrade is not possible, restrict access to the application from trusted IPs or implement network‑level rate limiting to mitigate the large input attack
  • Deploy application‑level resource limits (e.g., memory caps or ulimits) and monitor for anomalous memory usage patterns to prevent exhaustion from occurring

Generated by OpenCVE AI on April 22, 2026 at 03:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-cj8j-37rh-8475 Bouncy Castle Uncontrolled Resource Consumption vulnerability
History

Wed, 29 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Important

Tue, 21 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description Allocation of resources without limits or throttling vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcpg on all (pg modules).This issue affects BC-JAVA: before 1.84. Unbounded PGP AEAD chunk size leads to pre-auth resource exhaustion. Allocation of resources without limits or throttling, Uncontrolled Resource Consumption vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcpg on all (pg modules). This vulnerability is associated with program files AEADEncDataPacket.Java, BcAEADUtil.Java, JceAEADUtil.Java, OperatorHelper.Java. This issue affects BC-JAVA: from 1.74 before 1.84.

Wed, 15 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Bouncycastle
Bouncycastle bc-java
Vendors & Products Bouncycastle
Bouncycastle bc-java

Wed, 15 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 15 Apr 2026 11:00:00 +0000

Type Values Removed Values Added
Metrics cvssV4_0

{'score': 10, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

 cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Wed, 15 Apr 2026 10:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-400
References

Wed, 15 Apr 2026 09:30:00 +0000

Type Values Removed Values Added
Description Allocation of resources without limits or throttling vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcpg on all (pg modules).This issue affects BC-JAVA: before 1.84. Unbounded PGP AEAD chunk size leads to pre-auth resource exhaustion.
Title Unbounded PGP AEAD chunk size leads to pre-auth resource exhaustion.
Weaknesses CWE-770
References
Metrics cvssV4_0

{'score': 10, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Bouncycastle Bc-java
cve-icon MITRE

Status: PUBLISHED

Assigner: bcorg

Published:

Updated: 2026-04-21T16:04:10.293Z

Reserved: 2026-03-04T00:44:50.028Z

Link: CVE-2026-3505

cve-icon Vulnrichment

Updated: 2026-04-15T13:10:51.998Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-15T10:16:49.133

Modified: 2026-04-21T17:16:53.467

Link: CVE-2026-3505

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-15T09:06:37Z

Links: CVE-2026-3505 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T03:45:06Z

Weaknesses