Skip to main content

Bouncy Castle BC-FJA CVE-2026-8149

| EUVDEUVD-2026-28534 MEDIUM
Inconsistency Between Implementation and Documented Design (CWE-1068)
2026-05-08 bcorg GHSA-mx76-r943-rf8g
5.1
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:X/R:X/V:X/RE:M/U:Amber
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:X/R:X/V:X/RE:M/U:Amber
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
N

Lifecycle Timeline

4
Analysis Generated
May 08, 2026 - 09:00 vuln.today
CVSS changed
May 08, 2026 - 07:22 NVD
5.1 (MEDIUM)
CVE Published
May 08, 2026 - 06:01 nvd
UNKNOWN (no severity yet)
CVE Published
May 08, 2026 - 06:01 nvd
MEDIUM 5.1

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 80 maven packages depend on org.bouncycastle:bc-fips (4 direct, 77 indirect)
  • 69 maven packages depend on org.bouncycastle:bcprov-lts8on (2 direct, 67 indirect)

Ecosystem-wide dependent count for version 2.1.0 and other introduced versions.

DescriptionCVE.org

A vulnerability in Legion of the Bouncy Castle Inc. BC-FJA BC-FIPS on Linux, X86_64, AVX, AVX-512f.

This vulnerability is associated with program files gcm128w, gcm512w.

This issue affects BC-FJA: from 2.1.0 through 2.1.2.

AnalysisAI

Availability degradation in Bouncy Castle BC-FJA cryptographic library versions 2.1.0 through 2.1.2 on Linux X86_64 systems with AVX or AVX-512f SIMD extensions affects GCM-128 and GCM-512 operations, allowing local attackers to cause denial of service without authentication. The vulnerability is associated with optimized assembly implementations (gcm128w, gcm512w) and results in availability impact with no confidentiality or integrity compromise. No public exploit code or active exploitation has been identified at time of analysis.

Technical ContextAI

The Bouncy Castle BC-FJA library is a FIPS-validated cryptographic module providing implementations of standard algorithms including AES-GCM authenticated encryption. The vulnerability resides in optimized assembly language implementations for GCM (Galois/Counter Mode) operations, specifically the gcm128w and gcm512w modules, which are used on x86_64 Linux systems to accelerate performance using AVX and AVX-512f vector extensions. The root cause is classified under CWE-1068 (Inconsistent Naming Conventions for Identifiers), though the CVSS vector and description suggest the issue manifests as an availability problem in the cryptographic processing path. The affected CPE cpe:2.3:a:legion_of_the_bouncy_castle_inc.:bc-fja:*:*:*:*:*:*:*:* indicates all configurations of the library in the 2.1.x release series are impacted when deployed on compatible processors.

RemediationAI

Upgrade Bouncy Castle BC-FJA to version 2.1.3 or later, which is expected to contain the fix based on the CVSS remediation effectiveness tag (RE:M). Consult the official Bouncy Castle advisory at https://do-not-publish.bouncycastle.org/do_not_publish for confirmed patch version details and release date. If immediate patching is not feasible, disable AVX/AVX-512f SIMD acceleration for GCM operations via runtime configuration or environment variables (if the library provides such options), though this will result in performance degradation. Alternatively, if GCM is not required for your application's use cases, switch to other AEAD modes (e.g., AES-CCM, ChaCha20-Poly1305) implemented in non-vulnerable code paths. Monitor Bouncy Castle release notes for version 2.1.3+ and apply patches promptly, as the availability impact could disrupt cryptographic operations in production systems relying on AES-GCM for TLS, storage encryption, or authenticated messaging.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Development Tools 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP7 Fixed
SUSE Linux Enterprise Server 16.0 Fixed

Share

CVE-2026-8149 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy