mirrored from https://www.bouncycastle.org/repositories/bc-java
-
Notifications
You must be signed in to change notification settings - Fork 1.2k
CVE‐2026‐3505
David Hook edited this page May 18, 2026
·
8 revisions
Title: Unbounded PGP AEAD chunk size leads to pre-auth resource exhaustion.
Issue affecting: BC 1.74 to 1.80.1, BC 1.81, BC 1.82 to BC 1.83.
Fixed versions: BC 1.80.2, BC 1.81.1, BC 1.84
Platform affected: Java 4 and later.
A crafted AEAD chunk header could lead to memory exhaustion in a JVM.
Fixed with commit dc7530939ffb6cdb57636f3609d98e23b94e71c1.