CVE-2026-5598: BC-JAVA core (<1.84) timing channel leak FrodoKEM
CVE-2026-5598 Published on April 15, 2026
Non-constant time comparisons risk private key leakage in FrodoKEM.
Covert timing channel vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA core on all (core modules).
This vulnerability is associated with program files FrodoEngine.Java.
This issue affects BC-JAVA: from 1.71 before 1.80.2, from 1.81 before 1.80.1, from 1.82 before 1.84.
Weakness Type
Covert Timing Channel
Covert timing channels convey information by modulating some aspect of system behavior over time, so that the program receiving the information can observe system behavior and infer protected information.
Products Associated with CVE-2026-5598
Want to know whenever a new CVE is published for Bouncycastle Bc Java? stack.watch will email you.
Affected Versions
Legion of the Bouncy Castle Inc. BC-JAVA:- Version 1.71 and below 1.80.2 is affected.
- Version 1.81 and below 1.80.1 is affected.
- Version 1.82 and below 1.84 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.