HIGH
GHSA-p93r-85wp-75v3
Bouncy Castle Has Covert Timing Channel Vulnerability
Details
Covert timing channel vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA core on all (core modules). This vulnerability is associated with program files FrodoEngine.Java.
This issue only affects users of the FrodoKEM algorithm involved in the decryption of encapsulations.
This issue affects BC-JAVA: from 1.71 to 1.80.1, 1.81, 1.82 to 1.83.
Fixed versions: 1.80.2, 1.81.1, 1.84
Are you affected?
Enter the version of the package you're using.
Affected packages
Maven / org.bouncycastle:bcprov-jdk15to18
Introduced in:
1.71 Fixed in: 1.80.2 Fix
# pom.xml: bump <version>1.80.2</version> for org.bouncycastle:bcprov-jdk15to18 Maven / org.bouncycastle:bcprov-jdk14
Introduced in:
1.81 Fixed in: 1.81.1 Fix
# pom.xml: bump <version>1.81.1</version> for org.bouncycastle:bcprov-jdk14 Maven / org.bouncycastle:bcprov-jdk18on
Introduced in:
1.82 Fixed in: 1.84 Fix
# pom.xml: bump <version>1.84</version> for org.bouncycastle:bcprov-jdk18on References
- https://nvd.nist.gov/vuln/detail/CVE-2026-5598 [ADVISORY]
- https://github.com/bcgit/bc-java/commit/8692e6b2b191fc4aafa32545c7a78bdb9bf110c5 [WEB]
- https://github.com/bcgit/bc-java/commit/94abbd56413dfdac651fd878bc60253871ef5e87 [WEB]
- https://github.com/bcgit/bc-java [PACKAGE]
- https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902026%E2%80%905598 [WEB]
- https://github.com/bcgit/bc-java/wiki/CVE-2026-5598 [WEB]