PT-2025-32978 · Bouncy Castle+3 · Bouncy Castle For Java+4

Bing Shi

Published

2025-08-13

Updated

2026-05-18

CVE-2025-8916

CVSS v4.0

6.3

Medium

Vector

AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/S:P/R:U/RE:M/U:Amber

Name of the Vulnerable Software and Affected Versions: Bouncy Castle for Java versions 1.44 through 1.78 BCPKIX FIPS versions 1.0.0 through 1.0.7 BCPKIX FIPS versions 2.0.0 through 2.0.7

Description: The Bouncy Castle for Java cryptographic libraries contain a vulnerability related to excessive resource allocation without limits or throttling. The issue affects API modules and involves program files related to PKIX certificate processing, specifically within PKIXCertPathReviewer and related classes.

Recommendations: Update Bouncy Castle for Java to a version later than 1.78. Update BCPKIX FIPS to a version later than 1.0.7. Update BCPKIX FIPS to a version later than 2.0.7.

Exploit

Fix

Allocation of Resources Without Limits

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-770

Related Identifiers

BDU:2026-06606

CLEANSTART-2026-IA43044

CLEANSTART-2026-IS05941

CLEANSTART-2026-JU62349

CLEANSTART-2026-SQ91016

CLEANSTART-2026-SV95049

CLEANSTART-2026-WK99982

CVE-2025-8916

ECHO-3E4C-CFFF-062A

GHSA-4CX2-FC23-5WG6

USN-8108-1

Affected Products

Bcpkix Fips

Bouncy Castle For Java

Debian

Linuxmint

Ubuntu

PT-2025-32978 · Bouncy Castle+3 · Bouncy Castle For Java+4

CVE-2025-8916

Weakness Enumeration

Related Identifiers

Affected Products

References · 222