{ "dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": { "cveId": "CVE-2026-3505", "assignerOrgId": "91579145-5d7b-4cc5-b925-a0262ff19630", "state": "PUBLISHED", "assignerShortName": "bcorg", "dateReserved": "2026-03-04T00:44:50.028Z", "datePublished": "2026-04-15T09:06:37.939Z", "dateUpdated": "2026-07-15T02:48:44.133Z" }, "containers": { "cna": { "providerMetadata": { "orgId": "91579145-5d7b-4cc5-b925-a0262ff19630", "shortName": "bcorg", "dateUpdated": "2026-05-18T23:21:21.526Z" }, "title": "Unbounded PGP AEAD chunk size leads to pre-auth resource exhaustion.", "problemTypes": [ { "descriptions": [ { "lang": "en", "cweId": "CWE-770", "description": "CWE-770 Allocation of resources without limits or throttling", "type": "CWE" } ] }, { "descriptions": [ { "lang": "en", "cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption", "type": "CWE" } ] } ], "affected": [ { "vendor": "Legion of the Bouncy Castle Inc.", "product": "BC-JAVA", "platforms": [ "all" ], "collectionURL": "https://www.bouncycastle.org/download/bouncy-castle-java/", "packageName": "bcpg", "repo": "https://github.com/bcgit/bc-java", "modules": [ "pg" ], "programFiles": [ "AEADEncDataPacket.java", "BcAEADUtil.java", "JceAEADUtil.java", "OperatorHelper.java" ], "versions": [ { "status": "affected", "version": "1.74", "lessThan": "1.80.2", "versionType": "maven" }, { "status": "affected", "version": "1.81", "lessThan": "1.81.1", "versionType": "maven" }, { "status": "affected", "version": "1.82", "lessThan": "1.84", "versionType": "maven" } ], "defaultStatus": "unaffected" } ], "descriptions": [ { "lang": "en", "value": "Allocation of resources without limits or throttling, Uncontrolled Resource Consumption vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcpg on all (pg modules).\n\n This vulnerability is associated with program files AEADEncDataPacket.Java, BcAEADUtil.Java, JceAEADUtil.Java, OperatorHelper.Java.\n\n\n\nThis issue affects BC-JAVA: from 1.74 before 1.80.2, from 1.81 before 1.81.1, from 1.82 before 1.84.", "supportingMedia": [ { "type": "text/html", "base64": false, "value": "Allocation of resources without limits or throttling, Uncontrolled Resource Consumption vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcpg on all (pg modules).

This vulnerability is associated with program files AEADEncDataPacket.Java, BcAEADUtil.Java, JceAEADUtil.Java, OperatorHelper.Java.

This issue affects BC-JAVA: from 1.74 before 1.80.2, from 1.81 before 1.81.1, from 1.82 before 1.84.

" } ] } ], "references": [ { "url": "https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902026%E2%80%903505", "tags": [ "vendor-advisory" ] }, { "url": "https://github.com/bcgit/bc-java/commit/dc7530939ffb6cdb57636f3609d98e23b94e71c1", "tags": [ "patch" ] } ], "metrics": [ { "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ], "cvssV4_0": { "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "HIGH", "baseScore": 8.7, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" } } ], "credits": [ { "lang": "en", "value": "Disclosure ", "type": "finder" } ], "source": { "discovery": "UNKNOWN" }, "x_generator": { "engine": "Vulnogram 1.0.1" } }, "adp": [ { "metrics": [ { "other": { "type": "ssvc", "content": { "timestamp": "2026-04-15T13:10:48.791999Z", "id": "CVE-2026-3505", "options": [ { "Exploitation": "none" }, { "Automatable": "yes" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "version": "2.0.3" } } } ], "title": "CISA ADP Vulnrichment", "providerMetadata": { "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T13:10:55.206Z" } }, { "affected": [ { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:apache_camel_quarkus:3.27" ], "defaultStatus": "unaffected", "packageName": "bcpg-jdk18on", "product": "Red Hat Build of Apache Camel 4.14 for Quarkus 3.27", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:apache_camel_spring_boot:4.18" ], "defaultStatus": "unaffected", "packageName": "bcpg-jdk18on", "product": "Red Hat build of Apache Camel 4.18.1 for Spring Boot 3.5.14", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:jboss_enterprise_application_platform:8.1::el9" ], "defaultStatus": "unaffected", "packageName": "bcpg-fips", "product": "Red Hat JBoss Enterprise Application Platform 8.1", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:jboss_enterprise_application_platform:8.1::el9" ], "defaultStatus": "unaffected", "packageName": "bcpg-jdk15on", "product": "Red Hat JBoss Enterprise Application Platform 8.1", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:jboss_enterprise_application_platform:8.1::el9" ], "defaultStatus": "unaffected", "packageName": "bcpg-jdk18on", "product": "Red Hat JBoss Enterprise Application Platform 8.1", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:jboss_enterprise_application_platform:8.1::el8" ], "defaultStatus": "affected", "packageName": "eap8-bouncycastle", "product": "Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:1.84.0-1.redhat_00001.1.el8eap", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:jboss_enterprise_application_platform:8.1::el9" ], "defaultStatus": "affected", "packageName": "eap8-bouncycastle", "product": "Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 9", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:1.84.0-1.redhat_00001.1.el9eap", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:ocp_tools" ], "defaultStatus": "affected", "packageName": "jenkins", "product": "OpenShift Developer Tools and Services", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:ocp_tools" ], "defaultStatus": "affected", "packageName": "jenkins-2-plugins", "product": "OpenShift Developer Tools and Services", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:ocp_tools" ], "defaultStatus": "affected", "packageName": "ocp-tools-4/jenkins-rhel8", "product": "OpenShift Developer Tools and Services", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:ocp_tools" ], "defaultStatus": "affected", "packageName": "ocp-tools-4/jenkins-rhel9", "product": "OpenShift Developer Tools and Services", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:amq_clients:2023" ], "defaultStatus": "affected", "packageName": "bcpg-jdk18on", "product": "Red Hat AMQ Clients", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:camel_quarkus:3" ], "defaultStatus": "affected", "packageName": "bcpg-jdk18on", "product": "Red Hat build of Apache Camel 4 for Quarkus 3", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:jboss_data_grid:8" ], "defaultStatus": "unaffected", "packageName": "bcpg-jdk15on", "product": "Red Hat Data Grid 8", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:jboss_data_grid:8" ], "defaultStatus": "unaffected", "packageName": "bcpg-jdk18on", "product": "Red Hat Data Grid 8", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/o:redhat:enterprise_linux:9" ], "defaultStatus": "affected", "packageName": "jmc", "product": "Red Hat Enterprise Linux 9", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:jboss_fuse:7" ], "defaultStatus": "affected", "packageName": "bcpg-jdk15on", "product": "Red Hat Fuse 7", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:jboss_fuse:7" ], "defaultStatus": "affected", "packageName": "bcpg-jdk18on", "product": "Red Hat Fuse 7", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:jboss_enterprise_application_platform:7" ], "defaultStatus": "affected", "packageName": "bcpg-jdk15on", "product": "Red Hat JBoss Enterprise Application Platform 7", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:jboss_enterprise_application_platform:7" ], "defaultStatus": "affected", "packageName": "bcpg-jdk18on", "product": "Red Hat JBoss Enterprise Application Platform 7", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:jbosseapxp" ], "defaultStatus": "unaffected", "packageName": "bcpg-fips", "product": "Red Hat JBoss Enterprise Application Platform Expansion Pack", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:jbosseapxp" ], "defaultStatus": "unaffected", "packageName": "bcpg-jdk15on", "product": "Red Hat JBoss Enterprise Application Platform Expansion Pack", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:jbosseapxp" ], "defaultStatus": "unaffected", "packageName": "bcpg-jdk18on", "product": "Red Hat JBoss Enterprise Application Platform Expansion Pack", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:jbosseapxp" ], "defaultStatus": "unaffected", "packageName": "bcpg-jdk18on-1.83.0.redhat-00001.jar", "product": "Red Hat JBoss Enterprise Application Platform Expansion Pack", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:jboss_enterprise_bpms_platform:7" ], "defaultStatus": "affected", "packageName": "bcpg-jdk15on", "product": "Red Hat Process Automation 7", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:satellite:6" ], "defaultStatus": "unaffected", "packageName": "candlepin", "product": "Red Hat Satellite 6", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:satellite:6" ], "defaultStatus": "unaffected", "packageName": "satellite:el8/candlepin", "product": "Red Hat Satellite 6", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:red_hat_single_sign_on:7" ], "defaultStatus": "affected", "packageName": "bcpg-jdk15on", "product": "Red Hat Single Sign-On 7", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:amq_streams:2" ], "defaultStatus": "unaffected", "packageName": "bcpg-jdk18on", "product": "streams for Apache Kafka 2", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:amq_streams:3" ], "defaultStatus": "unaffected", "packageName": "bcpg-jdk18on", "product": "streams for Apache Kafka 3", "vendor": "Red Hat" } ], "datePublic": "2026-04-15T09:06:37.939Z", "descriptions": [ { "lang": "en", "value": "A flaw was found in Legion of the Bouncy Castle Inc. BC-JAVA bcpg. A specially crafted PGP AEAD (Authenticated Encryption with Associated Data) message with an unbounded chunk size can lead to an excessive consumption of memory. This issue allows an unauthenticated remote attacker to cause memory exhaustion in a JVM, resulting in a denial of service." } ], "metrics": [ { "other": { "content": { "namespace": "https://access.redhat.com/security/updates/classification/", "value": "Important" }, "type": "Red Hat severity rating" } }, { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "format": "CVSS" } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-770", "description": "Allocation of Resources Without Limits or Throttling", "lang": "en", "type": "CWE" } ] } ], "references": [ { "tags": [ "vdb-entry", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/security/cve/CVE-2026-3505" }, { "name": "RHBZ#2458638", "tags": [ "issue-tracking", "x_refsource_REDHAT" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2458638" }, { "tags": [ "x_sadp-csaf-vex" ], "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-3505.json" }, { "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2026:18054" }, { "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2026:18055" }, { "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2026:13631" }, { "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2026:18059" }, { "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2026:17668" } ], "solutions": [ { "lang": "en", "value": "RHSA-2026:18054: Red Hat JBoss EAP 8.1 for RHEL 8" }, { "lang": "en", "value": "RHSA-2026:18055: Red Hat JBoss EAP 8.1 for RHEL 9" }, { "lang": "en", "value": "RHSA-2026:13631: Red Hat Build of Apache Camel 4.14 for Quarkus 3.27" }, { "lang": "en", "value": "RHSA-2026:18059: Red Hat JBoss Enterprise Application Platform 8.1" }, { "lang": "en", "value": "RHSA-2026:17668: Red Hat build of Apache Camel 4.18.1 for Spring Boot 3.5.14" } ], "timeline": [ { "lang": "en", "time": "2026-04-15T10:01:17.415Z", "value": "Reported to Red Hat." }, { "lang": "en", "time": "2026-04-15T09:06:37.939Z", "value": "Made public." } ], "title": "bouncycastle: BC-JAVA: unbounded PGP AEAD chunk size leads to pre-auth resource exhaustion", "workarounds": [ { "lang": "en", "value": "To mitigate this vulnerability, enforce payload size limits on all incoming PGP messages before processing them. Additionally, apply memory quotas to the JVM or container environment to prevent a complete system outage in the event of memory exhaustion." } ], "x_adpType": "supplier", "x_generator": { "engine": "sadp-cli 1.0.0" }, "providerMetadata": { "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c", "shortName": "redhat-SADP", "dateUpdated": "2026-07-15T02:48:44.133Z" } } ] } }