PatchSiren

PatchSiren cyber security CVE debrief

CVE-2025-14813 Legion of the Bouncy Castle Inc. CVE debrief

A critical vulnerability exists in the Legion of the Bouncy Castle BC-JAVA cryptographic library, specifically within the G3413CTRBlockCipher implementation. The flaw stems from use of a broken or risky cryptographic algorithm (CWE-327), potentially enabling confidentiality and integrity impacts on affected systems. The vulnerability affects BC-JAVA versions from 1.59 before 1.80.2, from 1.81 before 1.81.1, and from 1.82 before 1.84. This issue was published on April 15, 2026, with the record last modified on May 19, 2026. The vendor has acknowledged this vulnerability and provided patches and documentation.

Vendor
Legion of the Bouncy Castle Inc.
Product
BC-JAVA
CVSS
CRITICAL 9.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-15
Original CVE updated
2026-05-19
Advisory published
2026-04-15
Advisory updated
2026-05-19

Who should care

Organizations using Bouncy Castle BC-JAVA library versions 1.59 through 1.84 for cryptographic operations, particularly those employing G3413CTRBlockCipher. This includes Java applications in financial services, government, healthcare, and other sectors requiring cryptographic protections. Development teams managing Java dependencies and security engineers responsible for cryptographic implementations should prioritize assessment and remediation.

Technical summary

CVE-2025-14813 is a critical vulnerability in the Legion of the Bouncy Castle BC-JAVA library's G3413CTRBlockCipher implementation. The flaw involves use of a broken or risky cryptographic algorithm (CWE-327), affecting versions from 1.59 before 1.80.2, from 1.81 before 1.81.1, and from 1.82 before 1.84. The vulnerability has a CVSS 4.0 score of 9.3 with critical severity. The attack vector is local with low complexity, requiring no privileges or user interaction, and can result in high confidentiality and integrity impacts. The vendor has released patches and maintains documentation on their wiki.

Defensive priority

critical

Recommended defensive actions

  • Upgrade BC-JAVA to version 1.80.2, 1.81.1, or 1.84 or later depending on your current branch
  • Review applications utilizing G3413CTRBlockCipher for cryptographic operations
  • Audit dependency management systems to identify vulnerable BC-JAVA versions
  • Monitor vendor security advisories for additional guidance on this vulnerability
  • Consider cryptographic agility measures to facilitate future algorithm transitions

Evidence notes

The vulnerability is classified under CWE-327 (Use of a Broken or Risky Cryptographic Algorithm). The CVSS 4.0 vector indicates local attack vector with low attack complexity, no privileges required, and no user interaction needed, with high impacts to confidentiality and integrity of the vulnerable component and subsequent high impacts to confidentiality and integrity of the system. The vendor has published a dedicated wiki page documenting this CVE and provided two commit references addressing the issue.

Official resources

The CVE was published on April 15, 2026, and last modified on May 19, 2026. The vulnerability affects BC-JAVA versions spanning multiple release branches, indicating a long-standing implementation issue in the G3413CTRBlockCipher component.