CVE-2026-5598: BC-JAVA core (<1.84) timing channel leak FrodoKEM
CVE-2026-5598 Published on April 15, 2026
Non-constant time comparisons risk private key leakage in FrodoKEM.
Covert timing channel vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA core on all (core modules).
This vulnerability is associated with program files FrodoEngine.Java.
This issue affects BC-JAVA: from 1.71 before 1.80.2, from 1.81 before 1.80.1, from 1.82 before 1.84.
Weakness Type
Covert Timing Channel
Covert timing channels convey information by modulating some aspect of system behavior over time, so that the program receiving the information can observe system behavior and infer protected information.
Products Associated with CVE-2026-5598
Want to know whenever a new CVE is published for Bouncycastle Bc Java? stack.watch will email you.
Affected Versions
Legion of the Bouncy Castle Inc. BC-JAVA:- Version 1.71 and below 1.80.2 is affected.
- Version 1.81 and below 1.80.1 is affected.
- Version 1.82 and below 1.84 is affected.