Bug 2388195 (CVE-2025-8916)

Summary: CVE-2025-8916 org.bouncycastle: BouncyCastle denial of service
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aazores, anstephe, anthomas, aschwart, asoldano, ataylor, avibelli, bbaranow, bgeorges, bmaxwell, boliveir, brian.stansberry, ccranfor, cdewolf, chfoley, clement.escoffier, cmah, dandread, darran.lofthouse, dbruscin, dfreiber, dhanak, dkreling, dosoudil, drosa, drow, eaguilar, ebaron, ehelms, eric.wittmann, fjuma, fmariani, fmongiar, ggainey, gmalinko, gsmet, ibek, istudens, ivassile, iweiss, janstey, jburrell, jcantril, jkoehler, jmartisk, jnethert, jolong, jpechane, jpoth, jrokos, jscholz, juwatts, kvanderr, kverlaen, lgao, lphiri, lthon, manderse, mhulan, mnovotny, mosmerov, mposolda, msochure, msvehla, nipatil, nmoumoul, nwallace, olubyans, osousa, pantinor, pcreech, pdelbell, pesilva, pgallagh, pjindal, pmackay, probinso, rchan, rguimara, rkubis, rojacob, rruss, rstancel, rstepani, rsvoboda, sausingh, sbiarozk, sdawley, smaestri, smallamp, ssilvert, sthorger, swoodman, tcunning, tmalecek, tom.jenkinson, tqvarnst, vkumar, vmuzikar, yfang
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A denial of service flaw has been discovered in the BouncyCastle library. The PKIXCertPathReviewer did not have an established limit on the size of the name constraints object. Where the class was in use this lack of a limit could be used to provide the source of a DOS attack. For an attack to take place the PKIXCertPathReviewer class must be in use by the application under attack and the class must be consuming certificate paths of unknown origin without any form of other validation.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2388277, 2388282, 2388289, 2388290, 2388291, 2388292, 2388276, 2388278, 2388279, 2388280, 2388281, 2388283, 2388284, 2388285, 2388286, 2388287, 2388288, 2388294, 2388295    
Bug Blocks:    

Description OSIDB Bzimport 2025-08-13 10:01:28 UTC 
Allocation of Resources Without Limits or Throttling vulnerability in Legion of the Bouncy Castle Inc. Bouncy Castle for Java bcpkix, bcprov, bcpkix-fips on All (API modules) allows Excessive Allocation. This vulnerability is associated with program files  https://github.Com/bcgit/bc-java/blob/main/pkix/src/main/java/org/bouncycastle/pkix/jcajce/PKIXCertP... https://github.Com/bcgit/bc-java/blob/main/pkix/src/main/java/org/bouncycastle/pkix/jcajce/PKIXCertPathReviewer.java ,  https://github.Com/bcgit/bc-java/blob/main/prov/src/main/java/org/bouncycastle/x509/PKIXCertPathRevi... https://github.Com/bcgit/bc-java/blob/main/prov/src/main/java/org/bouncycastle/x509/PKIXCertPathReviewer.java .

This issue affects Bouncy Castle for Java: from BC 1.44 through 1.78, from BCPKIX FIPS 1.0.0 through 1.0.7, from BCPKIX FIPS 2.0.0 through 2.0.7.