CVE-2026-8149 Legion of the Bouncy Castle Inc. CVE debrief

Who should care

Teams that package, deploy, or rely on Bouncy Castle BC-LTS on Linux x86_64 systems with AVX or AVX-512f support, especially if gcm128w or gcm512w binaries are installed or in use.

Technical summary

The NVD record describes a vulnerability in BC-LTS affecting Linux x86_64 AVX/AVX-512f program files gcm128w and gcm512w. The affected range is BC-LTS 2.73.0 through 2.73.10, with the fix boundary stated as before 2.73.11. The supplied CVSS v4.0 vector indicates local attack conditions, no privileges required, no user interaction, and a low availability impact, with no confidentiality or integrity impact recorded in the vector provided.

Defensive priority

Medium. Prioritize remediation for any Linux deployments that include the affected BC-LTS binaries, especially where cryptographic workloads are production-critical or broadly distributed.

Recommended defensive actions

• Upgrade BC-LTS to 2.73.11 or later.
• Inventory Linux x86_64 deployments for BC-LTS versions 2.73.0 through 2.73.10.
• Verify whether AVX/AVX-512f-optimized GCM binaries (gcm128w, gcm512w) are installed or invoked.
• Use the vendor-maintained advisory reference to confirm package-specific remediation and validation steps.
• If immediate upgrade is not possible, isolate affected hosts and monitor for unexpected instability in crypto-dependent services.

Evidence notes

The source corpus includes the NVD record, which names BC-LTS, lists the affected version range from 2.73.0 before 2.73.11, identifies the Linux/x86_64 AVX/AVX-512f program files, and provides a CVSS v4.0 vector showing local access and low availability impact. The only vendor reference included in the corpus is the bc-java GitHub wiki CVE page; no full advisory text was supplied, so remediation guidance is limited to the version boundary stated in the NVD description.

Official resources