Resource Exhaustion Vulnerability in Bouncy Castle BC-JAVA by Legion of the Bouncy Castle Inc.
CVE-2026-3505

8.7HIGH

Key Information:

Vendor: Legion Of The Bouncy Castle Inc.
Status: Bc-java
Vendor: CVE Published:; 15 April 2026

🔔 Create Legion Of The Bouncy Castle Inc. Vulnerability Alert

What is CVE-2026-3505?

A resource exhaustion vulnerability exists in Bouncy Castle BC-JAVA due to the unbounded allocation of PGP AEAD (Authenticated Encryption with Associated Data) chunk sizes. This flaw allows attackers to exploit the system, potentially leading to resource depletion before authentication takes place. Users are encouraged to update to version 1.84 or later to mitigate the risk associated with this vulnerability.

Affected Version(s)

BC-JAVA all 1.74 < 1.84

References

https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902026%E2...

vendor-advisory

https://github.com/bcgit/bc-java/commit/dc7530939ffb6cdb5...

patch

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 15, 2026
Vulnerability Reserved
Mar 4, 2026

Credit

Disclosure <disclosure@aisle.com>

CVE-2026-3505 Data

JSON