Vulnerability-Lookup

WID-SEC-W-2026-1129

Vulnerability from csaf_certbund - Published: 2026-04-15 22:00 - Updated: 2026-06-10 22:00

Summary

Bouncy Castle BC-JAVA: Mehrere Schwachstellen

Severity

Hoch

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung: Bouncy Castle ist eine Kryptographie-API für Java.

Angriff: Ein Angreifer kann mehrere Schwachstellen in Bouncy Castle BC-JAVA ausnutzen, um kryptografische Sicherheitsvorkehrungen zu umgehen, vertrauliche Informationen offenzulegen oder einen Denial-of-Service-Zustand zu verursachen.

Betroffene Betriebssysteme: - Linux - MacOS X - Sonstiges - UNIX - Windows

CVE-2025-14813

Affected products

Known affected 10 products

Product	Identifier	Version
Open Source DBeaver <26.0.4 Open Source / DBeaver		<26.0.4
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Red Hat Enterprise Linux Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:-`	—
Red Hat Enterprise Linux Apache Camel for Spring Boot Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:apache_camel_for_spring_boot`	Apache Camel for Spring Boot
Red Hat OpenShift Dev Spaces <3.28.0 Red Hat / OpenShift		Dev Spaces <3.28.0
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
IBM Tivoli Network Manager IP Edition 4.2.0 IBM / Tivoli Network Manager	`cpe:/a:ibm:tivoli_network_manager:ip_edition_4.2.0`	IP Edition 4.2.0
Open Source Bouncy Castle <1.84 Open Source / Bouncy Castle		<1.84
IBM MQ IBM	`cpe:/a:ibm:mq:-`	—
Open Source Keycloak <26.6.2 Open Source / Keycloak		<26.6.2

CVE-2026-0636

Affected products

Known affected 10 products

Product	Identifier	Version
Open Source DBeaver <26.0.4 Open Source / DBeaver		<26.0.4
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Red Hat Enterprise Linux Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:-`	—
Red Hat Enterprise Linux Apache Camel for Spring Boot Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:apache_camel_for_spring_boot`	Apache Camel for Spring Boot
Red Hat OpenShift Dev Spaces <3.28.0 Red Hat / OpenShift		Dev Spaces <3.28.0
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
IBM Tivoli Network Manager IP Edition 4.2.0 IBM / Tivoli Network Manager	`cpe:/a:ibm:tivoli_network_manager:ip_edition_4.2.0`	IP Edition 4.2.0
Open Source Bouncy Castle <1.84 Open Source / Bouncy Castle		<1.84
IBM MQ IBM	`cpe:/a:ibm:mq:-`	—
Open Source Keycloak <26.6.2 Open Source / Keycloak		<26.6.2

CVE-2026-3505

Affected products

Known affected 10 products

Product	Identifier	Version
Open Source DBeaver <26.0.4 Open Source / DBeaver		<26.0.4
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Red Hat Enterprise Linux Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:-`	—
Red Hat Enterprise Linux Apache Camel for Spring Boot Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:apache_camel_for_spring_boot`	Apache Camel for Spring Boot
Red Hat OpenShift Dev Spaces <3.28.0 Red Hat / OpenShift		Dev Spaces <3.28.0
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
IBM Tivoli Network Manager IP Edition 4.2.0 IBM / Tivoli Network Manager	`cpe:/a:ibm:tivoli_network_manager:ip_edition_4.2.0`	IP Edition 4.2.0
Open Source Bouncy Castle <1.84 Open Source / Bouncy Castle		<1.84
IBM MQ IBM	`cpe:/a:ibm:mq:-`	—
Open Source Keycloak <26.6.2 Open Source / Keycloak		<26.6.2

CVE-2026-5588

Affected products

Known affected 10 products

Product	Identifier	Version
Open Source DBeaver <26.0.4 Open Source / DBeaver		<26.0.4
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Red Hat Enterprise Linux Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:-`	—
Red Hat Enterprise Linux Apache Camel for Spring Boot Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:apache_camel_for_spring_boot`	Apache Camel for Spring Boot
Red Hat OpenShift Dev Spaces <3.28.0 Red Hat / OpenShift		Dev Spaces <3.28.0
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
IBM Tivoli Network Manager IP Edition 4.2.0 IBM / Tivoli Network Manager	`cpe:/a:ibm:tivoli_network_manager:ip_edition_4.2.0`	IP Edition 4.2.0
Open Source Bouncy Castle <1.84 Open Source / Bouncy Castle		<1.84
IBM MQ IBM	`cpe:/a:ibm:mq:-`	—
Open Source Keycloak <26.6.2 Open Source / Keycloak		<26.6.2

References

25 references

URL	Category
https://wid.cert-bund.de/.well-known/csaf/white/2…	self
https://wid.cert-bund.de/portal/wid/securityadvis…	self
https://github.com/bcgit/bc-java/wiki/CVE%E2%80%9…	external
https://github.com/bcgit/bc-java/wiki/CVE%E2%80%9…	external
https://github.com/bcgit/bc-java/wiki/CVE%E2%80%9…	external
https://github.com/bcgit/bc-java/wiki/CVE%E2%80%9…	external
https://github.com/bcgit/bc-java/releases/tag/r1rv84	external
https://lists.opensuse.org/archives/list/security…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://github.com/dbeaver/dbeaver/releases/tag/26.0.4	external
https://access.redhat.com/errata/RHSA-2026:11720	external
https://access.redhat.com/errata/RHSA-2026:11721	external
https://access.redhat.com/errata/RHSA-2026:13631	external
https://access.redhat.com/errata/RHSA-2026:14276	external
https://access.redhat.com/errata/RHSA-2026:14272	external
https://access.redhat.com/errata/RHSA-2026:17668	external
https://www.ibm.com/support/pages/node/7273145	external
https://access.redhat.com/errata/RHSA-2026:18059	external
https://access.redhat.com/errata/RHSA-2026:18054	external
https://access.redhat.com/errata/RHSA-2026:18055	external
https://www.keycloak.org/2026/05/keycloak-2662-released	external
https://access.redhat.com/errata/RHSA-2026:21772	external
https://access.redhat.com/errata/RHSA-2026:24977	external
https://www.ibm.com/support/pages/node/7275937	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Bouncy Castle ist eine Kryptographie-API f\u00fcr Java.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein Angreifer kann mehrere Schwachstellen in Bouncy Castle BC-JAVA ausnutzen, um kryptografische Sicherheitsvorkehrungen zu umgehen, vertrauliche Informationen offenzulegen oder einen Denial-of-Service-Zustand zu verursachen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux\n- MacOS X\n- Sonstiges\n- UNIX\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2026-1129 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-1129.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2026-1129 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1129"
      },
      {
        "category": "external",
        "summary": "BouncyCastle Wiki CVE-2025-14813 vom 2026-04-15",
        "url": "https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902025%E2%80%9014813"
      },
      {
        "category": "external",
        "summary": "BouncyCastle Wiki CVE-2026-0636 vom 2026-04-15",
        "url": "https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902026%E2%80%900636"
      },
      {
        "category": "external",
        "summary": "BouncyCastle Wiki CVE-2026-3505 vom 2026-04-15",
        "url": "https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902026%E2%80%903505"
      },
      {
        "category": "external",
        "summary": "BouncyCastle Wiki CVE-2026-5588 vom 2026-04-15",
        "url": "https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902026%E2%80%905588"
      },
      {
        "category": "external",
        "summary": "GitHub Advisory Database vom 2026-04-15",
        "url": "https://github.com/bcgit/bc-java/releases/tag/r1rv84"
      },
      {
        "category": "external",
        "summary": "openSUSE Security Update OPENSUSE-SU-2026:10571-1 vom 2026-04-19",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/HGBBPEJ3FFTXLISJLILUZ4P6VWU4FBFE/"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:1639-1 vom 2026-04-28",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-April/025753.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:21404-1 vom 2026-04-30",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-April/025782.html"
      },
      {
        "category": "external",
        "summary": "DBeaver Release 26.0.4 vom 2026-05-03",
        "url": "https://github.com/dbeaver/dbeaver/releases/tag/26.0.4"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:11720 vom 2026-05-05",
        "url": "https://access.redhat.com/errata/RHSA-2026:11720"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:11721 vom 2026-05-05",
        "url": "https://access.redhat.com/errata/RHSA-2026:11721"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:13631 vom 2026-05-05",
        "url": "https://access.redhat.com/errata/RHSA-2026:13631"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:14276 vom 2026-05-06",
        "url": "https://access.redhat.com/errata/RHSA-2026:14276"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:14272 vom 2026-05-06",
        "url": "https://access.redhat.com/errata/RHSA-2026:14272"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:17668 vom 2026-05-14",
        "url": "https://access.redhat.com/errata/RHSA-2026:17668"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin 7273145 vom 2026-05-15",
        "url": "https://www.ibm.com/support/pages/node/7273145"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:18059 vom 2026-05-18",
        "url": "https://access.redhat.com/errata/RHSA-2026:18059"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:18054 vom 2026-05-18",
        "url": "https://access.redhat.com/errata/RHSA-2026:18054"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:18055 vom 2026-05-18",
        "url": "https://access.redhat.com/errata/RHSA-2026:18055"
      },
      {
        "category": "external",
        "summary": "Keycloak 26.6.2 release vom 2026-05-19",
        "url": "https://www.keycloak.org/2026/05/keycloak-2662-released"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:21772 vom 2026-05-29",
        "url": "https://access.redhat.com/errata/RHSA-2026:21772"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:24977 vom 2026-06-10",
        "url": "https://access.redhat.com/errata/RHSA-2026:24977"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin 7275937 vom 2026-06-11",
        "url": "https://www.ibm.com/support/pages/node/7275937"
      }
    ],
    "source_lang": "en-US",
    "title": "Bouncy Castle BC-JAVA: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2026-06-10T22:00:00.000+00:00",
      "generator": {
        "date": "2026-06-11T11:41:00.824+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.6.0"
        }
      },
      "id": "WID-SEC-W-2026-1129",
      "initial_release_date": "2026-04-15T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2026-04-15T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2026-04-19T22:00:00.000+00:00",
          "number": "2",
          "summary": "Neue Updates von openSUSE aufgenommen"
        },
        {
          "date": "2026-04-28T22:00:00.000+00:00",
          "number": "3",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2026-05-03T22:00:00.000+00:00",
          "number": "4",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2026-05-04T22:00:00.000+00:00",
          "number": "5",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2026-05-06T22:00:00.000+00:00",
          "number": "6",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2026-05-14T22:00:00.000+00:00",
          "number": "7",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2026-05-17T22:00:00.000+00:00",
          "number": "8",
          "summary": "Neue Updates von IBM aufgenommen"
        },
        {
          "date": "2026-05-18T22:00:00.000+00:00",
          "number": "9",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2026-05-19T22:00:00.000+00:00",
          "number": "10",
          "summary": "Neue Updates aufgenommen"
        },
        {
          "date": "2026-05-28T22:00:00.000+00:00",
          "number": "11",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2026-06-09T22:00:00.000+00:00",
          "number": "12",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2026-06-10T22:00:00.000+00:00",
          "number": "13",
          "summary": "Neue Updates von IBM aufgenommen"
        }
      ],
      "status": "final",
      "version": "13"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_name",
            "name": "IBM MQ",
            "product": {
              "name": "IBM MQ",
              "product_id": "T021398",
              "product_identification_helper": {
                "cpe": "cpe:/a:ibm:mq:-"
              }
            }
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "IP Edition 4.2.0",
                "product": {
                  "name": "IBM Tivoli Network Manager IP Edition 4.2.0",
                  "product_id": "T048330",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:tivoli_network_manager:ip_edition_4.2.0"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Tivoli Network Manager"
          }
        ],
        "category": "vendor",
        "name": "IBM"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c1.84",
                "product": {
                  "name": "Open Source Bouncy Castle \u003c1.84",
                  "product_id": "T052875"
                }
              },
              {
                "category": "product_version",
                "name": "1.84",
                "product": {
                  "name": "Open Source Bouncy Castle 1.84",
                  "product_id": "T052875-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.84"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Bouncy Castle"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c26.0.4",
                "product": {
                  "name": "Open Source DBeaver \u003c26.0.4",
                  "product_id": "T053463"
                }
              },
              {
                "category": "product_version",
                "name": "26.0.4",
                "product": {
                  "name": "Open Source DBeaver 26.0.4",
                  "product_id": "T053463-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:dbeaver:dbeaver:26.0.4"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "DBeaver"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c26.6.2",
                "product": {
                  "name": "Open Source Keycloak \u003c26.6.2",
                  "product_id": "T054335"
                }
              },
              {
                "category": "product_version",
                "name": "26.6.2",
                "product": {
                  "name": "Open Source Keycloak 26.6.2",
                  "product_id": "T054335-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:keycloak:keycloak:26.6.2"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Keycloak"
          }
        ],
        "category": "vendor",
        "name": "Open Source"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux",
                "product": {
                  "name": "Red Hat Enterprise Linux",
                  "product_id": "67646",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:-"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "Apache Camel for Spring Boot",
                "product": {
                  "name": "Red Hat Enterprise Linux Apache Camel for Spring Boot",
                  "product_id": "T040879",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:apache_camel_for_spring_boot"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Enterprise Linux"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "Dev Spaces \u003c3.28.0",
                "product": {
                  "name": "Red Hat OpenShift Dev Spaces \u003c3.28.0",
                  "product_id": "T054838"
                }
              },
              {
                "category": "product_version",
                "name": "Dev Spaces 3.28.0",
                "product": {
                  "name": "Red Hat OpenShift Dev Spaces 3.28.0",
                  "product_id": "T054838-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:openshift:dev_spaces__3.28.0"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "OpenShift"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "SUSE Linux",
            "product": {
              "name": "SUSE Linux",
              "product_id": "T002207",
              "product_identification_helper": {
                "cpe": "cpe:/o:suse:suse_linux:-"
              }
            }
          },
          {
            "category": "product_name",
            "name": "SUSE openSUSE",
            "product": {
              "name": "SUSE openSUSE",
              "product_id": "T027843",
              "product_identification_helper": {
                "cpe": "cpe:/o:suse:opensuse:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-14813",
      "product_status": {
        "known_affected": [
          "T053463",
          "T002207",
          "67646",
          "T040879",
          "T054838",
          "T027843",
          "T048330",
          "T052875",
          "T021398",
          "T054335"
        ]
      },
      "release_date": "2026-04-15T22:00:00.000+00:00",
      "title": "CVE-2025-14813"
    },
    {
      "cve": "CVE-2026-0636",
      "product_status": {
        "known_affected": [
          "T053463",
          "T002207",
          "67646",
          "T040879",
          "T054838",
          "T027843",
          "T048330",
          "T052875",
          "T021398",
          "T054335"
        ]
      },
      "release_date": "2026-04-15T22:00:00.000+00:00",
      "title": "CVE-2026-0636"
    },
    {
      "cve": "CVE-2026-3505",
      "product_status": {
        "known_affected": [
          "T053463",
          "T002207",
          "67646",
          "T040879",
          "T054838",
          "T027843",
          "T048330",
          "T052875",
          "T021398",
          "T054335"
        ]
      },
      "release_date": "2026-04-15T22:00:00.000+00:00",
      "title": "CVE-2026-3505"
    },
    {
      "cve": "CVE-2026-5588",
      "product_status": {
        "known_affected": [
          "T053463",
          "T002207",
          "67646",
          "T040879",
          "T054838",
          "T027843",
          "T048330",
          "T052875",
          "T021398",
          "T054335"
        ]
      },
      "release_date": "2026-04-15T22:00:00.000+00:00",
      "title": "CVE-2026-5588"
    }
  ]
}

CVE-2025-14813 (GCVE-0-2025-14813)

Vulnerability from cvelistv5 – Published: 2026-04-15 08:56 – Updated: 2026-05-18 23:15

Title

GOSTCTR implementation unable to process more than 255 blocks correctly

Summary

: Use of a Broken or Risky Cryptographic Algorithm vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcprov on all (core modules). This vulnerability is associated with program files G3413CTRBlockCipher. This issue affects BC-JAVA: from 1.59 before 1.80.2, from 1.81 before 1.81.1, from 1.82 before 1.84.

Severity

9.3 (Critical)


                        
                          CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/RE:M/U:Red

SSVC

Exploitation: none Automatable: no Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-327 - Use of a Broken or Risky Cryptographic Algorithm

Assigner

bcorg

References

3 references

URL	Tags
https://github.com/bcgit/bc-java/wiki/CVE%E2%80%9…	vendor-advisory
https://github.com/bcgit/bc-java/commit/b42574345…	patch
https://github.com/bcgit/bc-java/commit/701686cb0…	patch

Impacted products

1 product

Vendor	Product	Version
Legion of the Bouncy Castle Inc.	BC-JAVA	Affected: 1.59 , < 1.80.2 (maven) Affected: 1.81 , < 1.81.1 (maven) Affected: 1.82 , < 1.84 (maven)

Credits

XlabAI Team of Tencent Xuanwu Lab Atuin Automated Vulnerability Discovery Engine Lili Tang, Guannan Wang, and Guancheng Li

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-14813",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-15T13:19:43.094033Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-15T13:19:49.520Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://www.bouncycastle.org/download/bouncy-castle-java/",
          "defaultStatus": "unaffected",
          "modules": [
            "core"
          ],
          "packageName": "bcprov",
          "platforms": [
            "all"
          ],
          "product": "BC-JAVA",
          "programFiles": [
            "G3413CTRBlockCipher"
          ],
          "repo": "https://github.com/bcgit/bc-java",
          "vendor": "Legion of the Bouncy Castle Inc.",
          "versions": [
            {
              "lessThan": "1.80.2",
              "status": "affected",
              "version": "1.59",
              "versionType": "maven"
            },
            {
              "lessThan": "1.81.1",
              "status": "affected",
              "version": "1.81",
              "versionType": "maven"
            },
            {
              "lessThan": "1.84",
              "status": "affected",
              "version": "1.82",
              "versionType": "maven"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "XlabAI Team of Tencent Xuanwu Lab"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Atuin Automated Vulnerability Discovery Engine"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Lili Tang, Guannan Wang, and Guancheng Li"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": ": Use of a Broken or Risky Cryptographic Algorithm vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcprov on all (core modules).\u003cp\u003e This vulnerability is associated with program files G3413CTRBlockCipher.\u003c/p\u003e\u003cp\u003eThis issue affects BC-JAVA: from 1.59 before 1.80.2, from 1.81 before 1.81.1, from 1.82 before 1.84.\u003c/p\u003e"
            }
          ],
          "value": ": Use of a Broken or Risky Cryptographic Algorithm vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcprov on all (core modules).\n\n This vulnerability is associated with program files G3413CTRBlockCipher.\n\n\n\nThis issue affects BC-JAVA: from 1.59 before 1.80.2, from 1.81 before 1.81.1, from 1.82 before 1.84."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "LOCAL",
            "baseScore": 9.3,
            "baseSeverity": "CRITICAL",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "RED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/RE:M/U:Red",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "MODERATE"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-327",
              "description": "CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-18T23:15:49.105Z",
        "orgId": "91579145-5d7b-4cc5-b925-a0262ff19630",
        "shortName": "bcorg"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902025%E2%80%9014813"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/bcgit/bc-java/commit/b42574345414e4b7c8051b16fa1fafe01c29871f"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/bcgit/bc-java/commit/701686cb0184cd9ae103c801b3581fdf95c6d4f3"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "GOSTCTR implementation unable to process more than 255 blocks correctly",
      "x_generator": {
        "engine": "Vulnogram 1.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "91579145-5d7b-4cc5-b925-a0262ff19630",
    "assignerShortName": "bcorg",
    "cveId": "CVE-2025-14813",
    "datePublished": "2026-04-15T08:56:34.057Z",
    "dateReserved": "2025-12-17T00:17:44.229Z",
    "dateUpdated": "2026-05-18T23:15:49.105Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-0636 (GCVE-0-2026-0636)

Vulnerability from cvelistv5 – Published: 2026-04-15 08:59 – Updated: 2026-05-18 23:20

Title

LDAP Injection Vulnerability in LDAPStoreHelper.java

Summary

Improper neutralization of special elements used in an LDAP query ('LDAP injection') vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcprov on all (prov modules). This vulnerability is associated with program files LDAPStoreHelper. This issue affects BC-JAVA: from 1.74 before 1.80.2, from 1.81 before 1.81.1, from 1.82 before 1.84.

Severity

5.5 (Medium)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/S:N/AU:Y/R:A/RE:M/U:Amber

SSVC

Exploitation: none Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-90 - Improper neutralization of special elements used in an LDAP query ('LDAP injection')

Assigner

bcorg

References

2 references

URL	Tags
https://github.com/bcgit/bc-java/wiki/CVE%E2%80%9…	vendor-advisory
https://github.com/bcgit/bc-java/commit/d20cdb843…	patch

Impacted products

1 product

Vendor	Product	Version
Legion of the Bouncy Castle Inc.	BC-JAVA	Affected: 1.74 , < 1.80.2 (maven) Affected: 1.81 , < 1.81.1 (maven) Affected: 1.82 , < 1.84 (maven)

Credits

Prasanth Sundararajan (prasanth.srihari@gmail.com)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-0636",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-15T13:12:14.838595Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-15T13:12:22.433Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://www.bouncycastle.org/download/bouncy-castle-java/",
          "defaultStatus": "unaffected",
          "modules": [
            "prov"
          ],
          "packageName": "bcprov",
          "platforms": [
            "all"
          ],
          "product": "BC-JAVA",
          "programFiles": [
            "LDAPStoreHelper"
          ],
          "repo": "https://github.com/bcgit/bc-java",
          "vendor": "Legion of the Bouncy Castle Inc.",
          "versions": [
            {
              "lessThan": "1.80.2",
              "status": "affected",
              "version": "1.74",
              "versionType": "maven"
            },
            {
              "lessThan": "1.81.1",
              "status": "affected",
              "version": "1.81",
              "versionType": "maven"
            },
            {
              "lessThan": "1.84",
              "status": "affected",
              "version": "1.82",
              "versionType": "maven"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Prasanth Sundararajan (prasanth.srihari@gmail.com)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Improper neutralization of special elements used in an LDAP query (\u0027LDAP injection\u0027) vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcprov on all (prov modules).\u003cp\u003e This vulnerability is associated with program files LDAPStoreHelper.\u003c/p\u003e\u003cp\u003eThis issue affects BC-JAVA: from 1.74 before 1.80.2, from 1.81 before 1.81.1, from 1.82 before 1.84.\u003c/p\u003e"
            }
          ],
          "value": "Improper neutralization of special elements used in an LDAP query (\u0027LDAP injection\u0027) vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcprov on all (prov modules).\n\n This vulnerability is associated with program files LDAPStoreHelper.\n\n\n\nThis issue affects BC-JAVA: from 1.74 before 1.80.2, from 1.81 before 1.81.1, from 1.82 before 1.84."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "YES",
            "Recovery": "AUTOMATIC",
            "Safety": "NEGLIGIBLE",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "exploitMaturity": "PROOF_OF_CONCEPT",
            "privilegesRequired": "NONE",
            "providerUrgency": "AMBER",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/S:N/AU:Y/R:A/RE:M/U:Amber",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "MODERATE"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-90",
              "description": "CWE-90 Improper neutralization of special elements used in an LDAP query (\u0027LDAP injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-18T23:20:07.728Z",
        "orgId": "91579145-5d7b-4cc5-b925-a0262ff19630",
        "shortName": "bcorg"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902026%E2%80%900636"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/bcgit/bc-java/commit/d20cdb8430e09224114fec0179a71859929fcbde"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "LDAP Injection Vulnerability in LDAPStoreHelper.java",
      "x_generator": {
        "engine": "Vulnogram 1.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "91579145-5d7b-4cc5-b925-a0262ff19630",
    "assignerShortName": "bcorg",
    "cveId": "CVE-2026-0636",
    "datePublished": "2026-04-15T08:59:12.677Z",
    "dateReserved": "2026-01-06T03:18:21.572Z",
    "dateUpdated": "2026-05-18T23:20:07.728Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-3505 (GCVE-0-2026-3505)

Vulnerability from cvelistv5 – Published: 2026-04-15 09:06 – Updated: 2026-05-18 23:21

Title

Unbounded PGP AEAD chunk size leads to pre-auth resource exhaustion.

Summary

Allocation of resources without limits or throttling, Uncontrolled Resource Consumption vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcpg on all (pg modules). This vulnerability is associated with program files AEADEncDataPacket.Java, BcAEADUtil.Java, JceAEADUtil.Java, OperatorHelper.Java. This issue affects BC-JAVA: from 1.74 before 1.80.2, from 1.81 before 1.81.1, from 1.82 before 1.84.

Severity

8.7 (High)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

SSVC

Exploitation: none Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-770 - Allocation of resources without limits or throttling
CWE-400 - Uncontrolled Resource Consumption

Assigner

bcorg

References

2 references

URL	Tags
https://github.com/bcgit/bc-java/wiki/CVE%E2%80%9…	vendor-advisory
https://github.com/bcgit/bc-java/commit/dc7530939…	patch

Impacted products

1 product

Vendor	Product	Version
Legion of the Bouncy Castle Inc.	BC-JAVA	Affected: 1.74 , < 1.80.2 (maven) Affected: 1.81 , < 1.81.1 (maven) Affected: 1.82 , < 1.84 (maven)

Credits

Disclosure <disclosure@aisle.com>

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-3505",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-15T13:10:48.791999Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-15T13:10:55.206Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://www.bouncycastle.org/download/bouncy-castle-java/",
          "defaultStatus": "unaffected",
          "modules": [
            "pg"
          ],
          "packageName": "bcpg",
          "platforms": [
            "all"
          ],
          "product": "BC-JAVA",
          "programFiles": [
            "AEADEncDataPacket.java",
            "BcAEADUtil.java",
            "JceAEADUtil.java",
            "OperatorHelper.java"
          ],
          "repo": "https://github.com/bcgit/bc-java",
          "vendor": "Legion of the Bouncy Castle Inc.",
          "versions": [
            {
              "lessThan": "1.80.2",
              "status": "affected",
              "version": "1.74",
              "versionType": "maven"
            },
            {
              "lessThan": "1.81.1",
              "status": "affected",
              "version": "1.81",
              "versionType": "maven"
            },
            {
              "lessThan": "1.84",
              "status": "affected",
              "version": "1.82",
              "versionType": "maven"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Disclosure \u003cdisclosure@aisle.com\u003e"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Allocation of resources without limits or throttling, Uncontrolled Resource Consumption vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcpg on all (pg modules).\u003cp\u003e This vulnerability is associated with program files AEADEncDataPacket.Java, BcAEADUtil.Java, JceAEADUtil.Java, OperatorHelper.Java.\u003c/p\u003e\u003cp\u003eThis issue affects BC-JAVA: from 1.74 before 1.80.2, from 1.81 before 1.81.1, from 1.82 before 1.84.\u003c/p\u003e"
            }
          ],
          "value": "Allocation of resources without limits or throttling, Uncontrolled Resource Consumption vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcpg on all (pg modules).\n\n This vulnerability is associated with program files AEADEncDataPacket.Java, BcAEADUtil.Java, JceAEADUtil.Java, OperatorHelper.Java.\n\n\n\nThis issue affects BC-JAVA: from 1.74 before 1.80.2, from 1.81 before 1.81.1, from 1.82 before 1.84."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-770",
              "description": "CWE-770 Allocation of resources without limits or throttling",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "CWE-400 Uncontrolled Resource Consumption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-18T23:21:21.526Z",
        "orgId": "91579145-5d7b-4cc5-b925-a0262ff19630",
        "shortName": "bcorg"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902026%E2%80%903505"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/bcgit/bc-java/commit/dc7530939ffb6cdb57636f3609d98e23b94e71c1"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Unbounded PGP AEAD chunk size leads to pre-auth resource exhaustion.",
      "x_generator": {
        "engine": "Vulnogram 1.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "91579145-5d7b-4cc5-b925-a0262ff19630",
    "assignerShortName": "bcorg",
    "cveId": "CVE-2026-3505",
    "datePublished": "2026-04-15T09:06:37.939Z",
    "dateReserved": "2026-03-04T00:44:50.028Z",
    "dateUpdated": "2026-05-18T23:21:21.526Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-5588 (GCVE-0-2026-5588)

Vulnerability from cvelistv5 – Published: 2026-04-15 09:06 – Updated: 2026-05-18 23:22

Title

PKIX draft CompositeVerifier accepts empty signature sequence as valid.

Summary

Use of a Broken or Risky Cryptographic Algorithm vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcpkix on all (pkix modules), Legion of the Bouncy Castle Inc. BCPKIX-FIPS bcpkix on All (pkix modules), Legion of the Bouncy Castle Inc. BCPIX-LTS bcpkix on All (pkix modules). This vulnerability is associated with program files JcaContentVerifierProviderBuilder.Java, JcaContentVerfierProviderBuilder.Java. This issue affects BC-JAVA: from 1.67 before 1.80.2, from 1.81 before 1.81.1, from 1.82 before 1.84; BCPKIX-FIPS: from 2.0.6 before 2.0.11, from 2.1.7 before 2.1.11; BCPIX-LTS: from 2.73.7 before 2.73.11.

Severity

6.3 (Medium)


                        
                          CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/U:Amber

SSVC

Exploitation: none Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-327 - Use of a Broken or Risky Cryptographic Algorithm

Assigner

bcorg

References

2 references

URL	Tags
https://github.com/bcgit/bc-java/wiki/CVE%E2%80%9…	vendor-advisory
https://github.com/bcgit/bc-java/commit/656bae0db…	patch

Impacted products

3 products

Vendor	Product	Version
Legion of the Bouncy Castle Inc.	BC-JAVA	Affected: 1.67 , < 1.80.2 (maven) Affected: 1.81 , < 1.81.1 (maven) Affected: 1.82 , < 1.84 (maven)
Legion of the Bouncy Castle Inc.	BCPKIX-FIPS	Affected: 2.0.6 , < 2.0.11 (maven) Affected: 2.1.7 , < 2.1.11 (maven)
Legion of the Bouncy Castle Inc.	BCPIX-LTS	Affected: 2.73.7 , < 2.73.11 (maven)

Credits

Nicholas Carlini using Claude, Anthropic

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-5588",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-15T19:35:32.235455Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-15T19:35:40.662Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://www.bouncycastle.org/download/bouncy-castle-java/",
          "defaultStatus": "unaffected",
          "modules": [
            "pkix"
          ],
          "packageName": "bcpkix",
          "platforms": [
            "all"
          ],
          "product": "BC-JAVA",
          "programFiles": [
            "JcaContentVerifierProviderBuilder.java"
          ],
          "repo": "https://github.com/bcgit/bc-java",
          "vendor": "Legion of the Bouncy Castle Inc.",
          "versions": [
            {
              "lessThan": "1.80.2",
              "status": "affected",
              "version": "1.67",
              "versionType": "maven"
            },
            {
              "lessThan": "1.81.1",
              "status": "affected",
              "version": "1.81",
              "versionType": "maven"
            },
            {
              "lessThan": "1.84",
              "status": "affected",
              "version": "1.82",
              "versionType": "maven"
            }
          ]
        },
        {
          "collectionURL": "https://www.bouncycastle.org/download/bouncy-castle-java-fips/",
          "defaultStatus": "unaffected",
          "modules": [
            "pkix"
          ],
          "packageName": "bcpkix",
          "platforms": [
            "All"
          ],
          "product": "BCPKIX-FIPS",
          "programFiles": [
            "JcaContentVerifierProviderBuilder.java"
          ],
          "repo": "https://repo1.maven.org/maven2/org/bouncycastle/bcpkix-fips/",
          "vendor": "Legion of the Bouncy Castle Inc.",
          "versions": [
            {
              "lessThan": "2.0.11",
              "status": "affected",
              "version": "2.0.6",
              "versionType": "maven"
            },
            {
              "lessThan": "2.1.11",
              "status": "affected",
              "version": "2.1.7",
              "versionType": "maven"
            }
          ]
        },
        {
          "collectionURL": "https://www.bouncycastle.org/download/bouncy-castle-java-lts/",
          "defaultStatus": "unaffected",
          "modules": [
            "pkix"
          ],
          "packageName": "bcpkix",
          "platforms": [
            "All"
          ],
          "product": "BCPIX-LTS",
          "programFiles": [
            "JcaContentVerfierProviderBuilder.java"
          ],
          "repo": "https://repo1.maven.org/maven2/org/bouncycastle/bcpkix-lts8on/",
          "vendor": "Legion of the Bouncy Castle Inc.",
          "versions": [
            {
              "lessThan": "2.73.11",
              "status": "affected",
              "version": "2.73.7",
              "versionType": "maven"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Nicholas Carlini using Claude, Anthropic"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Use of a Broken or Risky Cryptographic Algorithm vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcpkix on all (pkix modules), Legion of the Bouncy Castle Inc. BCPKIX-FIPS bcpkix on All (pkix modules), Legion of the Bouncy Castle Inc. BCPIX-LTS bcpkix on All (pkix modules).\u003cp\u003e This vulnerability is associated with program files JcaContentVerifierProviderBuilder.Java, JcaContentVerfierProviderBuilder.Java.\u003c/p\u003e\u003cp\u003eThis issue affects BC-JAVA: from 1.67 before 1.80.2, from 1.81 before 1.81.1, from 1.82 before 1.84; BCPKIX-FIPS: from 2.0.6 before 2.0.11, from 2.1.7 before 2.1.11; BCPIX-LTS: from 2.73.7 before 2.73.11.\u003c/p\u003e"
            }
          ],
          "value": "Use of a Broken or Risky Cryptographic Algorithm vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcpkix on all (pkix modules), Legion of the Bouncy Castle Inc. BCPKIX-FIPS bcpkix on All (pkix modules), Legion of the Bouncy Castle Inc. BCPIX-LTS bcpkix on All (pkix modules).\n\n This vulnerability is associated with program files JcaContentVerifierProviderBuilder.Java, JcaContentVerfierProviderBuilder.Java.\n\n\n\nThis issue affects BC-JAVA: from 1.67 before 1.80.2, from 1.81 before 1.81.1, from 1.82 before 1.84; BCPKIX-FIPS: from 2.0.6 before 2.0.11, from 2.1.7 before 2.1.11; BCPIX-LTS: from 2.73.7 before 2.73.11."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "AMBER",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/U:Amber",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-327",
              "description": "CWE-327 Use of a Broken or Risky Cryptographic Algorithm",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-18T23:22:57.378Z",
        "orgId": "91579145-5d7b-4cc5-b925-a0262ff19630",
        "shortName": "bcorg"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902026%E2%80%905588"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/bcgit/bc-java/commit/656bae0dbd9b1521f840521ff786e78749fe3057"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "PKIX draft CompositeVerifier accepts empty signature sequence as valid.",
      "x_generator": {
        "engine": "Vulnogram 1.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "91579145-5d7b-4cc5-b925-a0262ff19630",
    "assignerShortName": "bcorg",
    "cveId": "CVE-2026-5588",
    "datePublished": "2026-04-15T09:06:15.617Z",
    "dateReserved": "2026-04-04T23:50:59.336Z",
    "dateUpdated": "2026-05-18T23:22:57.378Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

WID-SEC-W-2026-1129

CVE-2025-14813 (GCVE-0-2025-14813)

CVE-2026-0636 (GCVE-0-2026-0636)

CVE-2026-3505 (GCVE-0-2026-3505)

CVE-2026-5588 (GCVE-0-2026-5588)

Tags

Sightings

Nomenclature