BC-JAVA bcpg <=1.83 UNBOUND PGP AEAD CHUNK Resource Exhaustion
CVE-2026-3505 Published on April 15, 2026
Unbounded PGP AEAD chunk size leads to pre-auth resource exhaustion.
Allocation of resources without limits or throttling, Uncontrolled Resource Consumption vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcpg on all (pg modules).
This vulnerability is associated with program files AEADEncDataPacket.Java, BcAEADUtil.Java, JceAEADUtil.Java, OperatorHelper.Java.
This issue affects BC-JAVA: from 1.74 before 1.80.2, from 1.81 before 1.81.1, from 1.82 before 1.84.
Weakness Types
Allocation of Resources Without Limits or Throttling
The software allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.
What is a Resource Exhaustion Vulnerability?
The software does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.
CVE-2026-3505 has been classified to as a Resource Exhaustion vulnerability or weakness.
Products Associated with CVE-2026-3505
Want to know whenever a new CVE is published for Bouncycastle Bc Java? stack.watch will email you.
Affected Versions
Legion of the Bouncy Castle Inc. BC-JAVA:- Version 1.74 and below 1.80.2 is affected.
- Version 1.81 and below 1.81.1 is affected.
- Version 1.82 and below 1.84 is affected.