Skip to main content

bcrypt

3 CVEs library

Monthly

CVE-2026-33306 Ruby MEDIUM PATCH This Month

JRuby's BCrypt implementation suffers from a signed integer overflow when the cost parameter is set to 31, causing the key-strengthening loop to execute zero iterations and reducing password hashing to a negligible computational cost. Applications using bcrypt-ruby with cost=31 generate seemingly valid hashes that verify correctly but provide virtually no protection against brute-force attacks. No patch is currently available for this vulnerability.

Java Integer Overflow Buffer Overflow Red Hat bcrypt
NVD GitHub VulDB
CVSS 4.0
4.5
EPSS
0.0%
CVE-2026-3337 Cargo MEDIUM PATCH This Month

Timing side-channel attacks in AWS-LC's AES-CCM decryption implementation allow unauthenticated attackers to infer authentication tag validity through precise timing measurements. The vulnerability affects AWS-LC and related cryptographic libraries across multiple AES-CCM variants (128, 192, and 256-bit), potentially enabling attackers to forge authenticated messages. AWS service customers are unaffected, but applications using AWS-LC directly should upgrade to version 1.69.0 or later.

AWS Aws Libcrypto Aws Lc Fips Sys Aws Lc Sys Red Hat +2
NVD GitHub
CVSS 3.1
5.9
EPSS
0.1%
CVE-2015-0886 Maven MEDIUM PATCH This Month

Integer overflow in the crypt_raw method in the key-stretching implementation in jBCrypt before 0.4 makes it easier for remote attackers to determine cleartext values of password hashes via a. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.

Integer Overflow Buffer Overflow Jbcrypt Fedora bcrypt
NVD
CVSS 2.0
5.0
EPSS
2.5%
EPSS 0% CVSS 4.5
MEDIUM PATCH This Month

JRuby's BCrypt implementation suffers from a signed integer overflow when the cost parameter is set to 31, causing the key-strengthening loop to execute zero iterations and reducing password hashing to a negligible computational cost. Applications using bcrypt-ruby with cost=31 generate seemingly valid hashes that verify correctly but provide virtually no protection against brute-force attacks. No patch is currently available for this vulnerability.

Java Integer Overflow Buffer Overflow +2
NVD GitHub VulDB
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Timing side-channel attacks in AWS-LC's AES-CCM decryption implementation allow unauthenticated attackers to infer authentication tag validity through precise timing measurements. The vulnerability affects AWS-LC and related cryptographic libraries across multiple AES-CCM variants (128, 192, and 256-bit), potentially enabling attackers to forge authenticated messages. AWS service customers are unaffected, but applications using AWS-LC directly should upgrade to version 1.69.0 or later.

AWS Aws Libcrypto Aws Lc Fips Sys +4
NVD GitHub
EPSS 2% CVSS 5.0
MEDIUM PATCH This Month

Integer overflow in the crypt_raw method in the key-stretching implementation in jBCrypt before 0.4 makes it easier for remote attackers to determine cleartext values of password hashes via a. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.

Integer Overflow Buffer Overflow Jbcrypt +2
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy