Use of Risky Cryptographic Algorithm in BC-JAVA by Legion of the Bouncy Castle Inc.
CVE-2025-14813

9.3CRITICAL

Key Information:

Vendor

Legion Of The Bouncy Castle Inc.

Status
Bc-java
Vendor
CVE Published:
15 April 2026

What is CVE-2025-14813?

A vulnerability exists in the BC-JAVA library by Legion of the Bouncy Castle Inc., specifically in the GOSTCTR implementation, which is unable to process more than 255 blocks correctly. This flaw could potentially lead to integrity issues in cryptographic operations and compromise data security, making it crucial for developers relying on this library to be aware and update their implementations. The affected versions span from 1.59 to just before 1.84.

Affected Version(s)

BC-JAVA all 1.59 < 1.84

References

https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902025%E2...
vendor-advisory
https://github.com/bcgit/bc-java/commit/b42574345414e4b7c...
patch
https://github.com/bcgit/bc-java/commit/701686cb0184cd9ae...
patch

CVSS V4

Score:
9.3
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

XlabAI Team of Tencent Xuanwu Lab
Atuin Automated Vulnerability Discovery Engine
Lili Tang, Guannan Wang, and Guancheng Li
.