Covert Timing Channel Vulnerability in Bouncy Castle Java Library
CVE-2026-5598

10CRITICAL

Key Information:

Vendor: Legion Of The Bouncy Castle Inc.
Status: Bc-java
Vendor: CVE Published:; 15 April 2026

🔔 Create Legion Of The Bouncy Castle Inc. Vulnerability Alert

What is CVE-2026-5598?

A vulnerability in the Bouncy Castle Java library introduces a covert timing channel that can lead to the leakage of private keys during non-constant time comparisons. This issue affects all core modules, from version 2.17.3 up to 1.84, thereby compromising the security of cryptographic operations that utilize FrodoKEM. It is crucial for developers using BC-JAVA to address this vulnerability to protect sensitive data.

Affected Version(s)

BC-JAVA all 2.17.3 < 1.84

References

https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902026%E2...

CVSS V4

Score:

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 15, 2026
Vulnerability Reserved
Apr 5, 2026

CVE-2026-5598 Data

JSON