Description
Allocation of resources without limits or throttling, Uncontrolled Resource Consumption vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcpg on all (pg modules).

This vulnerability is associated with program files AEADEncDataPacket.Java, BcAEADUtil.Java, JceAEADUtil.Java, OperatorHelper.Java.



This issue affects BC-JAVA: from 1.74 before 1.80.2, from 1.81 before 1.81.1, from 1.82 before 1.84.
Published: 2026-04-15
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Bouncy Castle BC‑JAVA’s bcpg module allocates resource based on unbounded chunk size in PGP AEAD processing, leading to uncontrolled memory consumption without any throttling. An attacker can supply a malicious PGP data file containing large chunk sizes that cause the library to reserve excessive amounts of memory or other system resources before any authentication occurs. This results in resource exhaustion, crashes, or denial of service, aligning with CWE‑400 and CWE‑770.

Affected Systems

The vulnerability affects Bouncy Castle BC‑JAVA bcpg implementations from version 1.74 up to but not including 1.80.2, from 1.81 up to but not including 1.81.1, and from 1.82 up to but not including 1.84. Any system that processes PGP data with an affected library version could be impacted.

Risk and Exploitability

The CVSS score is 8.7, indicating high severity. The EPSS score of 0.0006 (<1%) suggests a low exploitation probability, although it is not zero. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is through crafted PGP data sent to an application that uses the vulnerable library; the attacker needs only to transmit a malicious file before authentication to trigger the exhaustion. Because memory allocation is unbounded, the impact can range from a local resource drain to a full denial of service against the affected system.

Generated by OpenCVE AI on May 19, 2026 at 01:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Bouncy Castle BC‑JAVA to version 1.84 or later to eliminate the unbounded chunk size processing
  • If an immediate upgrade is not possible, restrict access to the application from trusted IPs or implement network‑level rate limiting to mitigate the large input attack
  • Deploy application‑level resource limits (e.g., memory caps or ulimits) and monitor for anomalous memory usage patterns to prevent exhaustion from occurring

Generated by OpenCVE AI on May 19, 2026 at 01:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-cj8j-37rh-8475 Bouncy Castle Uncontrolled Resource Consumption vulnerability
History

Tue, 19 May 2026 00:00:00 +0000

Type Values Removed Values Added
Description Allocation of resources without limits or throttling, Uncontrolled Resource Consumption vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcpg on all (pg modules). This vulnerability is associated with program files AEADEncDataPacket.Java, BcAEADUtil.Java, JceAEADUtil.Java, OperatorHelper.Java. This issue affects BC-JAVA: from 1.74 before 1.84. Allocation of resources without limits or throttling, Uncontrolled Resource Consumption vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcpg on all (pg modules). This vulnerability is associated with program files AEADEncDataPacket.Java, BcAEADUtil.Java, JceAEADUtil.Java, OperatorHelper.Java. This issue affects BC-JAVA: from 1.74 before 1.80.2, from 1.81 before 1.81.1, from 1.82 before 1.84.

Wed, 29 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Important

Tue, 21 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description Allocation of resources without limits or throttling vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcpg on all (pg modules).This issue affects BC-JAVA: before 1.84. Unbounded PGP AEAD chunk size leads to pre-auth resource exhaustion. Allocation of resources without limits or throttling, Uncontrolled Resource Consumption vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcpg on all (pg modules). This vulnerability is associated with program files AEADEncDataPacket.Java, BcAEADUtil.Java, JceAEADUtil.Java, OperatorHelper.Java. This issue affects BC-JAVA: from 1.74 before 1.84.

Wed, 15 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Bouncycastle
Bouncycastle bc-java
Vendors & Products Bouncycastle
Bouncycastle bc-java

Wed, 15 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 15 Apr 2026 11:00:00 +0000

Type Values Removed Values Added
Metrics cvssV4_0

{'score': 10, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

 cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Wed, 15 Apr 2026 10:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-400
References

Wed, 15 Apr 2026 09:30:00 +0000

Type Values Removed Values Added
Description Allocation of resources without limits or throttling vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcpg on all (pg modules).This issue affects BC-JAVA: before 1.84. Unbounded PGP AEAD chunk size leads to pre-auth resource exhaustion.
Title Unbounded PGP AEAD chunk size leads to pre-auth resource exhaustion.
Weaknesses CWE-770
References
Metrics cvssV4_0

{'score': 10, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Bouncycastle Bc-java
cve-icon MITRE

Status: PUBLISHED

Assigner: bcorg

Published:

Updated: 2026-05-18T23:21:21.526Z

Reserved: 2026-03-04T00:44:50.028Z

Link: CVE-2026-3505

cve-icon Vulnrichment

Updated: 2026-04-15T13:10:51.998Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-15T10:16:49.133

Modified: 2026-05-19T00:16:37.467

Link: CVE-2026-3505

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-15T09:06:37Z

Links: CVE-2026-3505 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-19T02:00:14Z

Weaknesses
  • CWE-400

    Uncontrolled Resource Consumption

  • CWE-770

    Allocation of Resources Without Limits or Throttling