Legion of the Bouncy Castle Inc. Bouncy Castle
Moderate fix1 remedy
cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle:*:*:*:*:*:*:*
Moderate fix1 remedy
- >= 1.44, <= 1.78
Bouncy Castle for Java Excessive Resource Allocation Vulnerability
Vulnerability
Patched
A vulnerability allowing excessive resource allocation has been identified in Legion of the Bouncy Castle Inc. Bouncy Castle for Java, specifically in the bcpkix and bcprov libraries, as well as BCPKIX FIPS modules. This issue affects versions BC 1.44 prior to 1.78, BCPKIX FIPS 1.0.0 through 1.0.7, and BCPKIX FIPS 2.0.0 through 2.0.7. The vulnerability arises from the PKIXCertPathReviewer class, which lacks a defined limit on the size of name constraints objects. As a result, applications using this class could be susceptible to denial-of-service attacks by processing large, unvalidated certificate paths.
Impact
Exploitation of this vulnerability could lead to a denial-of-service condition by causing applications to hang or crash while processing large name constraint structures.
Remediation
Users can upgrade to Bouncy Castle for Java version 1.79, BCPKIX FIPS 1.0.8, or BCPKIX FIPS 2.0.8 to address this vulnerability.
Added: Sep 1, 2025, 7:22 PM
Updated: Sep 1, 2025, 7:22 PM
Vulnerability Rating
Custom Algorithm
spread
7.8impact
2.5exploitability
4.7remediation
7.7relevance
0.3threat
0.0urgency
5.7incentive
1.7Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.