Source: bouncycastle X-Debbugs-CC: [email protected] Severity: important Tags: security
Hi, The following vulnerability was published for bouncycastle. CVE-2025-12194[0]: | Uncontrolled Resource Consumption vulnerability in Legion of the | Bouncy Castle Inc. Bouncy Castle for Java FIPS bc-fips on All (API | modules), Legion of the Bouncy Castle Inc. Bouncy Castle for Java | LTS bcprov-lts8on on All (API modules) allows Excessive Allocation. | This vulnerability is associated with program files | core/src/main/jdk1.9/org/bouncycastle/crypto/fips/AESNativeCFB.Java, | core/src/main/jdk1.9/org/bouncycastle/crypto/fips/AESNativeGCM.Java, | core/src/main/jdk1.9/org/bouncycastle/crypto/fips/SHA256NativeDigest | .Java, core/src/main/jdk1.9/org/bouncycastle/crypto/fips/AESNativeEn | gine.Java, | core/src/main/jdk1.9/org/bouncycastle/crypto/fips/AESNativeCBC.Java, | core/src/main/jdk1.9/org/bouncycastle/crypto/fips/AESNativeCTR.Java, | core/src/main/jdk1.9/org/bouncycastle/crypto/engines/AESNativeCFB.Ja | va, core/src/main/jdk1.9/org/bouncycastle/crypto/engines/AESNativeGC | M.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/engines/AESNati | veEngine.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/engines/ | AESNativeCBC.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/engi | nes/AESNativeGCMSIV.Java, core/src/main/jdk1.9/org/bouncycastle/cryp | to/engines/AESNativeCCM.Java, core/src/main/jdk1.9/org/bouncycastle/ | crypto/engines/AESNativeCTR.Java, core/src/main/jdk1.9/org/bouncycas | tle/crypto/digests/SHA256NativeDigest.Java, core/src/main/jdk1.9/org | /bouncycastle/crypto/digests/SHA224NativeDigest.Java, core/src/main/ | jdk1.9/org/bouncycastle/crypto/digests/SHA3NativeDigest.Java, core/s | rc/main/jdk1.9/org/bouncycastle/crypto/digests/SHAKENativeDigest.Jav | a, core/src/main/jdk1.9/org/bouncycastle/crypto/digests/SHA512Native | Digest.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/digests/SH | A384NativeDigest.Java. This issue affects Bouncy Castle for Java | FIPS: from 2.1.0 through 2.1.1; Bouncy Castle for Java LTS: from | 2.73.0 through 2.73.7. https://github.com/bcgit/bc-lts-java/commit/f2776feac0c30230f7a5ac34eb24f5019caf0324 https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902025%E2%80%9012194 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-12194 https://www.cve.org/CVERecord?id=CVE-2025-12194 Please adjust the affected versions in the BTS as needed.
