CVE-2026-5598 — Covert Timing Channel in OF THE Bouncy Castle INC Bc-java

CWE-385 — Covert Timing Channel6 documents5 sources

Severity

10.0CRITICALNVD

EPSS

0.0%

top 95.17%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Legion OF THE Bouncy Castle INC Bc-java Candlepinproject Candlepin Devspaces Openvsx-rhel9 +10 more

Timeline

PublishedApr 15

Latest updateApr 17

Description

Covert timing channel vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA core on all (core modules). Non-constant time comparisons risk private key leakage in FrodoKEM. This issue affects BC-JAVA: from 2.17.3 before 1.84.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Affected Packages13 packages

▶CVEListV5legion_of_the_bouncy_castle_inc/bc-java2.17.3 — 1.84

▶Red Hatpki-core_10.6/resteasy

▶Red Hatjenkins/jenkins

▶Red Hatredhat/resteasy

▶Red Hatpki-deps_10.6/resteasy

🔴Vulnerability Details

GHSA

GHSA-p93r-85wp-75v3: Covert timing channel vulnerability in Legion of the Bouncy Castle Inc↗2026-04-17

▶

VulDB

Legion of the Bouncy Castle BC-JAVA up to 1.83 Private Key covert timing channel↗2026-04-15

▶

📋Vendor Advisories

Red Hat

bouncycastle: BC-JAVA: private key leakage via non-constant time comparisons↗2026-04-15

▶

💬Community

Bugzilla

CVE-2026-5598 pdfbox: private key leakage via non-constant time comparisons [fedora-all]↗2026-04-17

▶

Bugzilla

CVE-2026-5598 bouncycastle: BC-JAVA: private key leakage via non-constant time comparisons↗2026-04-15

▶