{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3505", "assignerOrgId": "91579145-5d7b-4cc5-b925-a0262ff19630", "state": "PUBLISHED", "assignerShortName": "bcorg", "dateReserved": "2026-03-04T00:44:50.028Z", "datePublished": "2026-04-15T09:06:37.939Z", "dateUpdated": "2026-04-15T13:10:55.206Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "91579145-5d7b-4cc5-b925-a0262ff19630", "shortName": "bcorg", "dateUpdated": "2026-04-15T10:42:23.323Z"}, "title": "Unbounded PGP AEAD chunk size leads to pre-auth resource exhaustion.", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-770", "description": "CWE-770 Allocation of resources without limits or throttling", "type": "CWE"}]}, {"descriptions": [{"lang": "en", "cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption", "type": "CWE"}]}], "affected": [{"vendor": "Legion of the Bouncy Castle Inc.", "product": "BC-JAVA", "platforms": ["all"], "collectionURL": "https://www.bouncycastle.org/download/bouncy-castle-java/", "packageName": "bcpg", "repo": "https://github.com/bcgit/bc-java", "modules": ["pg"], "programFiles": ["AEADEncDataPacket.java", "BcAEADUtil.java", "JceAEADUtil.java", "OperatorHelper.java"], "versions": [{"status": "affected", "version": "1.74", "lessThan": "1.84", "versionType": "maven"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Allocation of resources without limits or throttling vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcpg on all (pg modules).This issue affects BC-JAVA: before 1.84.\n\nUnbounded PGP AEAD chunk size leads to pre-auth resource exhaustion.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Allocation of resources without limits or throttling vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcpg on all (pg modules).<p>This issue affects BC-JAVA: before 1.84.<br><br>Unbounded PGP AEAD chunk size leads to pre-auth resource exhaustion.</p>"}]}], "references": [{"url": "https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902026%E2%80%903505", "tags": ["vendor-advisory"]}, {"url": "https://github.com/bcgit/bc-java/commit/dc7530939ffb6cdb57636f3609d98e23b94e71c1", "tags": ["patch"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "HIGH", "baseScore": 8.7, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"}}], "credits": [{"lang": "en", "value": "Disclosure <disclosure@aisle.com>", "type": "finder"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-15T13:10:48.791999Z", "id": "CVE-2026-3505", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T13:10:55.206Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3505", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-15T13:10:48.791999Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T13:10:51.998Z"}}], "cna": {"title": "Unbounded PGP AEAD chunk size leads to pre-auth resource exhaustion.", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Disclosure <disclosure@aisle.com>"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/bcgit/bc-java", "vendor": "Legion of the Bouncy Castle Inc.", "modules": ["pg"], "product": "BC-JAVA", "versions": [{"status": "affected", "version": "1.74", "lessThan": "1.84", "versionType": "maven"}], "platforms": ["all"], "packageName": "bcpg", "programFiles": ["AEADEncDataPacket.java", "BcAEADUtil.java", "JceAEADUtil.java", "OperatorHelper.java"], "collectionURL": "https://www.bouncycastle.org/download/bouncy-castle-java/", "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902026%E2%80%903505", "tags": ["vendor-advisory"]}, {"url": "https://github.com/bcgit/bc-java/commit/dc7530939ffb6cdb57636f3609d98e23b94e71c1", "tags": ["patch"]}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "Allocation of resources without limits or throttling vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcpg on all (pg modules).This issue affects BC-JAVA: before 1.84.\n\nUnbounded PGP AEAD chunk size leads to pre-auth resource exhaustion.", "supportingMedia": [{"type": "text/html", "value": "Allocation of resources without limits or throttling vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcpg on all (pg modules).<p>This issue affects BC-JAVA: before 1.84.<br><br>Unbounded PGP AEAD chunk size leads to pre-auth resource exhaustion.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-770", "description": "CWE-770 Allocation of resources without limits or throttling"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption"}]}], "providerMetadata": {"orgId": "91579145-5d7b-4cc5-b925-a0262ff19630", "shortName": "bcorg", "dateUpdated": "2026-04-15T10:42:23.323Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3505", "state": "PUBLISHED", "dateUpdated": "2026-04-15T13:10:55.206Z", "dateReserved": "2026-03-04T00:44:50.028Z", "assignerOrgId": "91579145-5d7b-4cc5-b925-a0262ff19630", "datePublished": "2026-04-15T09:06:37.939Z", "assignerShortName": "bcorg"}, "dataVersion": "5.2"}

{}

{}

{"analysis": {"en": {"generated_at": "2026-04-15T12:22:27.649648+00:00", "value": {"mitigation_remediation": ["Upgrade Bouncy Castle BC\u2011JAVA to version 1.84 or later to eliminate the unbounded chunk size processing", "If an immediate upgrade is not possible, restrict access to the application from trusted IPs or implement network\u2011level rate limiting to mitigate the large input attack", "Deploy application\u2011level resource limits (e.g., memory caps or ulimits) and monitor for anomalous memory usage patterns to prevent exhaustion from occurring"], "summary": {"action": "Apply patch", "impact": "Pre\u2011authentication Resource Exhaustion"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all Bouncy Castle BC\u2011JAVA bcpg implementations before version 1.84. Any system that processes PGP data with an affected library version could be impacted.", "description_and_impact": "Bouncy Castle\u2019s BC\u2011JAVA library allows creating PGP AEAD objects without limiting the chunk size that is processed. An attacker can craft an input file with extremely large chunk sizes, forcing the library to allocate memory or other resources before any authentication happens. This uncontrolled allocation can exhaust server memory or swap, leading to denial of service or a crash. The weakness matches CWE\u2011770 (Resource Exhaustion) and CWE\u2011400 (Uncontrolled Resource Consumption).", "risk_and_exploitability": "The CVSS score is 8.7, indicating high severity. EPSS is not available, so current exploitation probability cannot be quantified, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is through crafted PGP data sent to an application that uses the vulnerable library; the attacker needs only to transmit a malicious file before authentication to trigger the exhaustion. Because memory allocation is unbounded, the impact can range from a local resource drain to a full denial of service against the affected system."}}}}, "created": "2026-04-15T13:49:14.858026+00:00", "updated": "2026-04-15T13:49:14.858044+00:00", "vendors": []}