CVE‐2026‐5598

Title: Non-constant time comparisons risk private key leakage in FrodoKEM.

Issue affecting: BC 1.71 to 1.80.1, BC 1.81, BC 1.82 to BC 1.83.

Fixed versions: BC 1.80.2, BC 1.81.1, BC 1.84

Platform affected: Java 4 and later.

Additional discussion in section 10.3.1 of the latest standard proposal for FrodoKEM looks at Timing Attacks. This update contained mention of a couple of concerns which were relevant to Bouncy Castle and were reported to us. The issues allow recovery of a private key where it is possible to observe timing differences in the decryption of an encapsulation.

This issue only affects users of the FrodoKEM algorithm involved in the decryption of encapsulations.

Fixes for these were introduced in commit 94abbd56413dfdac651fd878bc60253871ef5e87 and commit 8692e6b2b191fc4aafa32545c7a78bdb9bf110c5 which moved out the sample() function and refactored ctverify().

Uh oh!

CVE‐2026‐5598

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Clone this wiki locally