Legion of the Bouncy Castle Inc. Bouncy Castle for Java FIPS
Moderate fix1 remedy
cpe:2.3:a:bouncycastle:fips_java_api:*:*:*:*:*:*:*, +1 more
Moderate fix1 remedy
- >= 2.1.0, <= 2.1.1
Bouncy Castle for Java FIPS and LTS Excessive Resource Allocation Vulnerability
Vulnerability
Patched
A vulnerability allowing uncontrolled resource consumption has been identified in Legion of the Bouncy Castle Inc. Bouncy Castle for Java FIPS (versions 2.1.0 through 2.1.1) and Bouncy Castle for Java LTS (versions 2.73.0 through 2.73.7). This vulnerability, associated with several native AES and SHA-2 digest implementations, can lead to excessive memory allocation. The issue is particularly pronounced in high-core environments running Java 21 with Bouncy Castle FIPS 2.1.1, where the disposal thread responsible for cleaning up resources is not scheduled frequently enough under heavy load.
Impact
Excessive resource allocation can lead to performance degradation and potential denial-of-service conditions, especially in high-core environments.
Remediation
Users can upgrade to Bouncy Castle for Java FIPS 2.1.2 or Bouncy Castle for Java LTS 2.73.8 to address this vulnerability. For those still using Java 8, a new property 'org.bouncycastle.native.cleanup_priority' can be set to 'min', 'normal', or 'high' to optimize the disposal thread scheduling.
Added: Oct 24, 2025, 11:21 PM
Updated: Oct 24, 2025, 11:21 PM
Vulnerability Rating
Custom Algorithm
spread
7.8impact
2.5exploitability
4.7remediation
0.0relevance
0.8threat
0.0urgency
5.7incentive
1.7Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.