Uncontrolled RC in Bouncy Castle FIPS 2.1.0 & LTS 2.73.0-2.73.7 AESNativeCBC
CVE-2025-9341 Published on August 22, 2025
Garbage collection can delay for AES CBC Native support, resulting in heap exhaustion
Uncontrolled Resource Consumption vulnerability in Legion of the Bouncy Castle Inc. Bouncy Castle for Java FIPS bc-fips on All (API modules), Legion of the Bouncy Castle Inc. Bouncy Castle for Java LTS bcprov-lts8on on All (API modules) allows Excessive Allocation. This vulnerability is associated with program files org/bouncycastle/crypto/fips/AESNativeCBC.Java, org/bouncycastle/crypto/engines/AESNativeCBC.Java.
This issue affects Bouncy Castle for Java FIPS: 2.1.0; Bouncy Castle for Java LTS: from 2.73.0 through 2.73.7.
Weakness Type
What is a Resource Exhaustion Vulnerability?
The software does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.
CVE-2025-9341 has been classified to as a Resource Exhaustion vulnerability or weakness.
Products Associated with CVE-2025-9341
stack.watch emails you whenever new vulnerabilities are published in Legionofthebouncycastleinc Bouncy Castle For Java Fips or Legionofthebouncycastleinc Bouncy Castle For Java Lts. Just hit a watch button to start following.
Affected Versions
Legion of the Bouncy Castle Inc. Bouncy Castle for Java FIPS:- Version 2.1.0 is affected.
- Version 2.73.0, <= 2.73.7 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.