Skip to main content

Java CVE-2026-3505

| EUVDEUVD-2026-22855 HIGH
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-04-15 bcorg GHSA-cj8j-37rh-8475
8.7
CVSS 4.0 · Vendor: bcorg
Share

Severity by source

Vendor (bcorg) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Red Hat
7.5 HIGH
qualitative

Primary rating from Vendor (bcorg).

CVSS VectorVendor: bcorg

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

8
Re-analysis Queued
Apr 17, 2026 - 15:52 vuln.today
cvss_changed
Severity Changed
Apr 15, 2026 - 15:22 NVD
CRITICAL HIGH
CVSS changed
Apr 15, 2026 - 15:22 NVD
10.0 (CRITICAL) 8.7 (HIGH)
Patch released
Apr 15, 2026 - 14:30 nvd
Patch available
Analysis Generated
Apr 15, 2026 - 12:39 vuln.today
EUVD ID Assigned
Apr 15, 2026 - 09:30 euvd
EUVD-2026-22855
Analysis Generated
Apr 15, 2026 - 09:30 vuln.today
CVE Published
Apr 15, 2026 - 09:06 nvd
HIGH 8.7

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 1 maven packages depend on org.bouncycastle:bcpg-jdk12 (1 direct, 0 indirect)
  • 10 maven packages depend on org.bouncycastle:bcpg-jdk15 (4 direct, 6 indirect)
  • 371 maven packages depend on org.bouncycastle:bcpg-jdk15on (110 direct, 264 indirect)
  • 55 maven packages depend on org.bouncycastle:bcpg-jdk15to18 (2 direct, 53 indirect)
  • 19 maven packages depend on org.bouncycastle:bcpg-jdk16 (13 direct, 6 indirect)

Ecosystem-wide dependent count for version 130 and other introduced versions.

DescriptionCVE.org

Allocation of resources without limits or throttling vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcpg on all (pg modules).This issue affects BC-JAVA: before 1.84.

Unbounded PGP AEAD chunk size leads to pre-auth resource exhaustion.

AnalysisAI

Pre-authentication resource exhaustion in Bouncy Castle BC-JAVA PGP modules (bcpg) allows remote attackers to trigger denial-of-service by exploiting unbounded AEAD chunk sizes, affecting all versions before 1.84. The maximum CVSS 4.0 score of 10.0 reflects complete compromise potential across confidentiality, integrity, and availability with no attack complexity, no authentication requirements, and network-based exploitation. No public exploit identified at time of analysis, though the attack s

Technical ContextAI

Bouncy Castle BC-JAVA is a widely-deployed cryptographic library for Java applications, providing PGP/OpenPGP implementation through its bcpg module. This vulnerability (CWE-770: Allocation of Resources Without Limits or Throttling) exists in the PGP Authenticated Encryption with Associated Data (AEAD) implementation. AEAD is a modern cryptographic mode combining confidentiality and authentication, introduced to OpenPGP in RFC 9580. The bcpg module fails to validate or limit chunk sizes in AEAD-encrypted PGP messages during parsing, allowing attackers to specify arbitrarily large chunk sizes. Because this validation failure occurs during message processing before authentication checks, attackers can craft malicious PGP packets that force the parser to allocate excessive memory or CPU resources without valid credentials. The affected CPE (cpe:2.3:a:legion_of_the_bouncy_castle_inc.:bc-java) encompasses all BC-JAVA versions prior to 1.84 across all deployment contexts where the PG modules process untrusted OpenPGP input.

RemediationAI

Upgrade to Bouncy Castle BC-JAVA version 1.84 or later immediately, which implements proper validation and throttling of PGP AEAD chunk sizes to prevent resource exhaustion attacks. Update all applications and dependencies that include the bcpg module, verifying the upgrade through dependency management tools (Maven, Gradle) and checking runtime classpath configurations. For environments where immediate upgrade is not feasible, implement network-layer input validation to reject PGP messages exceeding reasonable size thresholds before reaching the bcpg parser, deploy rate limiting on PGP processing endpoints to mitigate mass exploitation attempts, and isolate PGP processing workloads in resource-constrained containers or VMs to contain denial-of-service impact. Consult the official Bouncy Castle advisory at https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902026%E2%80%903505 for additional mitigation guidance and upgrade instructions. Test thoroughly in staging environments before production deployment, particularly for applications with complex PGP workflows or large message volumes.

More in Java

View all
CVE-2012-4681 CRITICAL POC
9.8 Aug 28

Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m

CVE-2015-7450 CRITICAL POC
9.8 Jan 02

Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti

CVE-2013-2465 CRITICAL POC
9.8 Jun 18

Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent

CVE-2011-3544 CRITICAL POC
9.8 Oct 19

Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug

CVE-2010-1871 HIGH POC
8.8 Aug 05

JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to

CVE-2012-1723 CRITICAL POC
9.8 Jun 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up

CVE-2013-0422 CRITICAL POC
9.8 Jan 10

Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using

CVE-2012-0507 CRITICAL POC
9.8 Jun 07

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up

CVE-2015-4852 CRITICAL POC
9.8 Nov 18

The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers

CVE-2012-5076 CRITICAL POC
9.8 Oct 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow

CVE-2017-3066 CRITICAL POC
9.8 Apr 27

Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla

CVE-2012-0391 CRITICAL POC
9.8 Jan 08

The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS Affected
SUSE Linux Enterprise Module for Development Tools 15 SP7 Affected

Share

CVE-2026-3505 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy