{ "threat_severity" : "Important", "public_date" : "2026-04-15T09:06:37Z", "bugzilla" : { "description" : "bouncycastle: BC-JAVA: unbounded PGP AEAD chunk size leads to pre-auth resource exhaustion", "id" : "2458638", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2458638" }, "cvss3" : { "cvss3_base_score" : "7.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-770", "details" : [ "Allocation of resources without limits or throttling, Uncontrolled Resource Consumption vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcpg on all (pg modules).\nThis vulnerability is associated with program files AEADEncDataPacket.Java, BcAEADUtil.Java, JceAEADUtil.Java, OperatorHelper.Java.\nThis issue affects BC-JAVA: from 1.74 before 1.80.2, from 1.81 before 1.81.1, from 1.82 before 1.84.", "A flaw was found in Legion of the Bouncy Castle Inc. BC-JAVA bcpg. A specially crafted PGP AEAD (Authenticated Encryption with Associated Data) message with an unbounded chunk size can lead to an excessive consumption of memory. This issue allows an unauthenticated remote attacker to cause memory exhaustion in a JVM, resulting in a denial of service." ], "statement" : "To exploit this issue, an attacker needs to submit a specially crafted PGP AEAD message containing an unbounded chunk size to an application. An attack typically requires the application to process this malformed data, resulting in the uncontrolled allocation of memory resources.\nThe primary impact of this vulnerability is a compromise of system availability, allowing an unauthenticated remote attacker to cause memory exhaustion in a JVM, resulting in a denial of service.", "affected_release" : [ { "product_name" : "Red Hat Build of Apache Camel 4.14 for Quarkus 3.27", "release_date" : "2026-05-05T00:00:00Z", "advisory" : "RHSA-2026:13631", "cpe" : "cpe:/a:redhat:apache_camel_quarkus:3.27", "package" : "bcpg-jdk18on" }, { "product_name" : "Red Hat build of Apache Camel 4.18.1 for Spring Boot 3.5.14", "release_date" : "2026-05-14T00:00:00Z", "advisory" : "RHSA-2026:17668", "cpe" : "cpe:/a:redhat:apache_camel_spring_boot:4.18", "package" : "bcpg-jdk18on" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8.1", "release_date" : "2026-05-18T00:00:00Z", "advisory" : "RHSA-2026:18059", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8.1::el9", "package" : "bcpg-fips" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8.1", "release_date" : "2026-05-18T00:00:00Z", "advisory" : "RHSA-2026:18059", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8.1::el9", "package" : "bcpg-jdk15on" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8.1", "release_date" : "2026-05-18T00:00:00Z", "advisory" : "RHSA-2026:18059", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8.1::el9", "package" : "bcpg-jdk18on" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 8", "release_date" : "2026-05-18T00:00:00Z", "advisory" : "RHSA-2026:18054", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8.1::el8", "package" : "eap8-bouncycastle-0:1.84.0-1.redhat_00001.1.el8eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 9", "release_date" : "2026-05-18T00:00:00Z", "advisory" : "RHSA-2026:18055", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8.1::el9", "package" : "eap8-bouncycastle-0:1.84.0-1.redhat_00001.1.el9eap" } ], "package_state" : [ { "product_name" : "OpenShift Developer Tools and Services", "fix_state" : "Affected", "package_name" : "jenkins", "cpe" : "cpe:/a:redhat:ocp_tools" }, { "product_name" : "OpenShift Developer Tools and Services", "fix_state" : "Affected", "package_name" : "jenkins-2-plugins", "cpe" : "cpe:/a:redhat:ocp_tools" }, { "product_name" : "OpenShift Developer Tools and Services", "fix_state" : "Affected", "package_name" : "ocp-tools-4/jenkins-rhel8", "cpe" : "cpe:/a:redhat:ocp_tools" }, { "product_name" : "OpenShift Developer Tools and Services", "fix_state" : "Affected", "package_name" : "ocp-tools-4/jenkins-rhel9", "cpe" : "cpe:/a:redhat:ocp_tools" }, { "product_name" : "Red Hat AMQ Clients", "fix_state" : "Affected", "package_name" : "bcpg-jdk18on", "cpe" : "cpe:/a:redhat:amq_clients:2023" }, { "product_name" : "Red Hat build of Apache Camel 4 for Quarkus 3", "fix_state" : "Affected", "package_name" : "bcpg-jdk18on", "cpe" : "cpe:/a:redhat:camel_quarkus:3" }, { "product_name" : "Red Hat Data Grid 8", "fix_state" : "Not affected", "package_name" : "bcpg-jdk15on", "cpe" : "cpe:/a:redhat:jboss_data_grid:8" }, { "product_name" : "Red Hat Data Grid 8", "fix_state" : "Not affected", "package_name" : "bcpg-jdk18on", "cpe" : "cpe:/a:redhat:jboss_data_grid:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "jmc", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Fuse 7", "fix_state" : "Will not fix", "package_name" : "bcpg-jdk15on", "cpe" : "cpe:/a:redhat:jboss_fuse:7" }, { "product_name" : "Red Hat Fuse 7", "fix_state" : "Will not fix", "package_name" : "bcpg-jdk18on", "cpe" : "cpe:/a:redhat:jboss_fuse:7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7", "fix_state" : "Affected", "package_name" : "bcpg-jdk15on", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7", "fix_state" : "Affected", "package_name" : "bcpg-jdk18on", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack", "fix_state" : "Not affected", "package_name" : "bcpg-fips", "cpe" : "cpe:/a:redhat:jbosseapxp" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack", "fix_state" : "Not affected", "package_name" : "bcpg-jdk15on", "cpe" : "cpe:/a:redhat:jbosseapxp" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack", "fix_state" : "Not affected", "package_name" : "bcpg-jdk18on", "cpe" : "cpe:/a:redhat:jbosseapxp" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack", "fix_state" : "Not affected", "package_name" : "bcpg-jdk18on-1.83.0.redhat-00001.jar", "cpe" : "cpe:/a:redhat:jbosseapxp" }, { "product_name" : "Red Hat Process Automation 7", "fix_state" : "Affected", "package_name" : "bcpg-jdk15on", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7" }, { "product_name" : "Red Hat Satellite 6", "fix_state" : "Not affected", "package_name" : "candlepin", "cpe" : "cpe:/a:redhat:satellite:6" }, { "product_name" : "Red Hat Satellite 6", "fix_state" : "Not affected", "package_name" : "satellite:el8/candlepin", "cpe" : "cpe:/a:redhat:satellite:6" }, { "product_name" : "Red Hat Single Sign-On 7", "fix_state" : "Will not fix", "package_name" : "bcpg-jdk15on", "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7" }, { "product_name" : "streams for Apache Kafka 2", "fix_state" : "Affected", "package_name" : "bcpg-jdk18on", "cpe" : "cpe:/a:redhat:amq_streams:2" }, { "product_name" : "streams for Apache Kafka 3", "fix_state" : "Affected", "package_name" : "bcpg-jdk18on", "cpe" : "cpe:/a:redhat:amq_streams:3" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-3505\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-3505\nhttps://github.com/bcgit/bc-java/wiki/CVE%E2%80%902026%E2%80%903505" ], "name" : "CVE-2026-3505", "mitigation" : { "value" : "To mitigate this vulnerability, enforce payload size limits on all incoming PGP messages before processing them. Additionally, apply memory quotas to the JVM or container environment to prevent a complete system outage in the event of memory exhaustion.", "lang" : "en:us" }, "csaw" : false }