#1134195 bouncycastle: CVE-2026-3505

Package:
src:bouncycastle
Source:
src:bouncycastle
Submitter:
Salvatore Bonaccorso
Date:
2026-04-17 18:21:02 UTC
Severity:
normal
Tags:
#1134195#5
Date:
2026-04-17 18:19:12 UTC
From:
To:
Hi,

The following vulnerability was published for bouncycastle.

CVE-2026-3505[0]:
| Allocation of resources without limits or throttling vulnerability
| in Legion of the Bouncy Castle Inc. BC-JAVA bcpg on all (pg
| modules).This issue affects BC-JAVA: before 1.84.  Unbounded PGP
| AEAD chunk size leads to pre-auth resource exhaustion.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-3505
https://www.cve.org/CVERecord?id=CVE-2026-3505
[1] https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902026%E2%80%903505
[2] https://github.com/bcgit/bc-java/commit/dc7530939ffb6cdb57636f3609d98e23b94e71c1

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore