PatchSiren

Legion of the Bouncy Castle Inc. CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

MEDIUM Legion of the Bouncy Castle Inc. CVE published 2026-05-08

CVE-2026-8149

CVE-2026-8149 is a medium-severity issue in Legion of the Bouncy Castle Inc. BC-LTS that affects Linux x86_64 builds using AVX or AVX-512f-specific GCM program files. The supplied NVD record shows a local attack surface, low attack complexity, and low availability impact. Systems running BC-LTS from 2.73.0 through 2.73.10 should be treated as affected until upgraded.

HIGH Legion of the Bouncy Castle Inc. CVE published 2026-04-15

CVE-2026-5598

A covert timing channel vulnerability exists in the Legion of the Bouncy Castle BC-JAVA cryptographic library, specifically within the FrodoEngine implementation. The vulnerability allows attackers to extract sensitive information through timing analysis of cryptographic operations. Affected versions span multiple release branches: 1.71 through 1.80.1, 1.81 through 1.80.1, and 1.82 through 1.84. The vendo [truncated]

MEDIUM Legion of the Bouncy Castle Inc. CVE published 2026-04-15

CVE-2026-5588

A Use of a Broken or Risky Cryptographic Algorithm vulnerability (CWE-327) exists in Legion of the Bouncy Castle's BC-JAVA, BCPKIX-FIPS, and BCPIX-LTS libraries. The vulnerability affects the PKIX modules and is associated with the JcaContentVerifierProviderBuilder and JcaContentVerfierProviderBuilder Java files. The issue stems from improper cryptographic algorithm selection that could allow attackers to [truncated]

HIGH Legion of the Bouncy Castle Inc. CVE published 2026-04-15

CVE-2026-3505

CVE-2026-3505 is a high-severity availability issue in the BC-JAVA bcpg module from Legion of the Bouncy Castle Inc. The NVD record describes an "allocation of resources without limits or throttling" weakness affecting AEAD-related processing paths. In practical defensive terms, software that accepts untrusted PGP or AEAD input through bcpg should be treated as exposed to resource-exhaustion risk until patched.

CRITICAL Legion of the Bouncy Castle Inc. CVE published 2026-04-15

CVE-2025-14813

A critical vulnerability exists in the Legion of the Bouncy Castle BC-JAVA cryptographic library, specifically within the G3413CTRBlockCipher implementation. The flaw stems from use of a broken or risky cryptographic algorithm (CWE-327), potentially enabling confidentiality and integrity impacts on affected systems. The vulnerability affects BC-JAVA versions from 1.59 before 1.80.2, from 1.81 before 1.81. [truncated]