PatchSiren cyber security CVE debrief
CVE-2025-8916 Cert Portal CVE debrief
CVE-2025-8916 is an availability issue in Bouncy Castle Java and BCPKIX FIPS certificate-path review code. The supplied advisory describes allocation without limits or throttling that can lead to excessive allocation in PKIXCertPathReviewer-related classes. The stated impact is low-severity availability loss, with a CVSS v3.1 vector of AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L and a base score of 5.3. The advisory was first published on 2026-05-12 UTC and republished/modified on 2026-05-14 UTC in the supplied CISA CSAF source.
- Vendor
- Cert Portal
- Product
- Siemens SIMATIC CN 4100 vers:intdot/<5.0
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-12
- Original CVE updated
- 2026-05-14
- Advisory published
- 2026-05-12
- Advisory updated
- 2026-05-14
Who should care
Teams that use Bouncy Castle Java bcprov/bcpkix or BCPKIX FIPS in applications that process certificate paths, especially where untrusted input can reach the affected code. Security, platform, and dependency-management teams should also care because the affected components are library modules that may be pulled in transitively.
Technical summary
The advisory links CVE-2025-8916 to resource exhaustion caused by unbounded allocation in PKIXCertPathReviewer code paths. The affected ranges listed in the source are BC Java 1.44 through 1.78 and BCPKIX FIPS 1.0.0 through 1.0.7 and 2.0.0 through 2.0.7. The source references the relevant files in the bc-java repository under pkix/src/main/java/org/bouncycastle/pkix/jcajce/PKIXCertPathReviewer.java and prov/src/main/java/org/bouncycastle/x509/PKIXCertPathReviewer.java. The supplied advisory rates confidentiality and integrity impact as none and availability impact as low.
Defensive priority
Medium. The CVSS score is moderate, but the issue is network-reachable in the supplied vector and affects security-sensitive cryptographic library code. Prioritize remediation if the library is present in externally exposed services or certificate-validation workflows.
Recommended defensive actions
- Update affected deployments to V5.0 or later, as stated in the supplied remediation guidance.
- Inventory all direct and transitive uses of Bouncy Castle Java bcprov/bcpkix and BCPKIX FIPS across applications and services.
- Confirm whether any applications still use the affected version ranges: BC Java 1.44-1.78, BCPKIX FIPS 1.0.0-1.0.7, or 2.0.0-2.0.7.
- Treat certificate-path review and related validation endpoints as higher-priority remediation targets if they accept untrusted input.
- After updating, validate build manifests and dependency locks to prevent reintroduction of affected versions.
Evidence notes
The source corpus is internally inconsistent: the advisory metadata names a Siemens SIMATIC CN 4100 product context, but the vulnerability description and affected files clearly refer to Bouncy Castle Java and BCPKIX FIPS modules. This debrief follows the vulnerability text, file references, version ranges, CVSS vector, and remediation provided in the supplied CSAF advisory. No KEV entry is listed in the provided enrichment.
Official resources
-
CVE-2025-8916 CVE record
CVE.org
-
CVE-2025-8916 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
First published in the supplied source on 2026-05-12 UTC and modified on 2026-05-14 UTC. The supplied enrichment does not list a Known Exploited Vulnerabilities (KEV) entry.