PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-15997 Legion of the Bouncy Castle Inc. CVE debrief

CVE-2026-15997 is an out-of-bounds write vulnerability in Legion of the Bouncy Castle Inc. BC-LTS bcprov-lts8on on ARM, potentially leading to buffer overflow. The issue affects BC-LTS versions from 2.73.0 to before 2.73.12.1 and is particularly relevant for applications accepting memoable SHA3 / SHAKE states from untrusted sources. Developers and users should review the vulnerability details and apply necessary patches or updates to prevent potential buffer overflows.

Vendor
Legion of the Bouncy Castle Inc.
Product
BC-LTS
CVSS
LOW 1.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-16
Original CVE updated
2026-07-16
Advisory published
2026-07-16
Advisory updated
2026-07-16

Who should care

Developers and users of BC-LTS versions from 2.73.0 to before 2.73.12.1 should be aware of this vulnerability, especially those accepting memoable SHA3 / SHAKE states from untrusted sources. Applying patches or updates is crucial to prevent potential buffer overflows. Additionally, restricting the acceptance of memoable SHA3 / SHAKE states to trusted sources only and monitoring for any suspicious activity related to the affected library are recommended.

Technical summary

The vulnerability is caused by an out-of-bounds write issue in the bcprov-lts8on library on ARM architectures, specifically in the SHA3 and SHAKE implementations. This issue affects BC-LTS versions from 2.73.0 to before 2.73.12.1. The vulnerability is rated as LOW with a CVSS score of 1.7. It is crucial for developers and users of affected versions to apply patches or updates to prevent potential buffer overflows, especially when accepting memoable SHA3 / SHAKE states from untrusted sources.

Defensive priority

Apply patches or updates to BC-LTS to prevent potential buffer overflows. Restrict the acceptance of memoable SHA3 / SHAKE states to trusted sources only and monitor for suspicious activity.

Recommended defensive actions

  • Apply patches or updates to BC-LTS to address the out-of-bounds write vulnerability.
  • Restrict the acceptance of memoable SHA3 / SHAKE states to trusted sources only.
  • Monitor for any suspicious activity related to the affected library.
  • Review compensating controls for exposed systems while remediation is scheduled and verified.
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review.
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented.
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.

Evidence notes

The CVE record was published on 2026-07-16T23:16:15.727Z and has not been modified since then. The NVD entry is currently in the 'Received' status. This information is based on the provided source corpus and may not reflect the full scope or details of the vulnerability. Further verification and review of official advisories are recommended to ensure accurate understanding and mitigation of the vulnerability.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-16T23:16:15.727Z and has not been modified since then. The NVD entry is currently in the 'Received' status.