CVE-2026-3505 — Uncontrolled Resource Consumption in OF THE Bouncy Castle INC Bc-java

CWE-400 — Uncontrolled Resource Consumption CWE-770 — Allocation of Resources Without Limits or Throttling3 documents3 sources

Severity

8.7HIGHNVD

EPSS

0.1%

top 82.72%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Legion OF THE Bouncy Castle INC Bc-java

Timeline

PublishedApr 15

Latest updateApr 17

Description

Allocation of resources without limits or throttling vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcpg on all (pg modules).This issue affects BC-JAVA: before 1.84. Unbounded PGP AEAD chunk size leads to pre-auth resource exhaustion.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Affected Packages1 packages

▶CVEListV5legion_of_the_bouncy_castle_inc/bc-java1.74 — 1.84

🔴Vulnerability Details

GHSA

Bouncy Castle Uncontrolled Resource Consumption vulnerability↗2026-04-17

▶

VulDB

Legion of the Bouncy Castle BC-JAVA up to 1.83 allocation of resources↗2026-04-15

▶