PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-3505 Legion of the Bouncy Castle Inc. CVE debrief

CVE-2026-3505 is a high-severity availability issue in the BC-JAVA bcpg module from Legion of the Bouncy Castle Inc. The NVD record describes an "allocation of resources without limits or throttling" weakness affecting AEAD-related processing paths. In practical defensive terms, software that accepts untrusted PGP or AEAD input through bcpg should be treated as exposed to resource-exhaustion risk until patched.

Vendor
Legion of the Bouncy Castle Inc.
Product
BC-JAVA
CVSS
HIGH 8.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-15
Original CVE updated
2026-05-19
Advisory published
2026-04-15
Advisory updated
2026-05-19

Who should care

Security and platform teams running Java applications that depend on Bouncy Castle BC-JAVA, especially services using the bcpg module for PGP-related parsing, encryption, or message handling. Systems that process attacker-controlled or otherwise untrusted inputs over the network should prioritize this issue first.

Technical summary

The NVD entry classifies the flaw as uncontrolled resource consumption / allocation without limits or throttling, with CWE-400 and CWE-770 as secondary weaknesses. Affected code paths named in the record include AEADEncDataPacket.java, BcAEADUtil.java, JceAEADUtil.java, and OperatorHelper.java. The CVSS vector indicates network attackability with no privileges or user interaction and a high availability impact, which makes the issue especially relevant for network-facing services that parse BC-JAVA bcpg data.

Defensive priority

High. The record rates the issue 8.7 (HIGH), and the attack surface is remote with no authentication or user interaction required. For defenders, that combination makes this a strong patch-now candidate for any environment that accepts untrusted bcpg inputs.

Recommended defensive actions

  • Upgrade BC-JAVA to a fixed release for your branch: 1.80.2 or later for the 1.74 line, 1.81.1 or later for the 1.81 line, and 1.84 or later for the 1.82 line.
  • Inventory applications and transitive dependencies to find every use of BC-JAVA bcpg.
  • Treat any service that processes untrusted PGP or AEAD content as higher risk and prioritize it for patching and validation.
  • Apply defensive resource controls around input handling where practical, such as request limits, timeouts, memory caps, and isolation of parsing workloads.
  • Monitor for abnormal CPU, memory, thread, or request-volume spikes in services that rely on BC-JAVA during upgrade rollout and after deployment.
  • Confirm the patched version works correctly in dependent cryptographic flows before broad production rollout.

Evidence notes

This debrief is based on the supplied NVD CVE record published on 2026-04-15 and last modified on 2026-05-19, plus the official Bouncy Castle GitHub commit and wiki references listed in that record. The supplied corpus establishes the affected BC-JAVA version ranges, the bcpg module, the named source files, and the CWE/CVSS metadata. This write-up does not rely on unverified contents from the linked references beyond their presence as official references in the source item.

Official resources

Publicly disclosed in the NVD record on 2026-04-15 and last modified on 2026-05-19. The supplied source item is an official NVD CVE entry and lists official Bouncy Castle GitHub references.