Bug 2458638 (CVE-2026-3505)

Summary: CVE-2026-3505 bouncycastle: BC-JAVA: unbounded PGP AEAD chunk size leads to pre-auth resource exhaustion
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: anthomas, aschwart, asoldano, aszczucz, ataylor, bbaranow, bmaxwell, boliveir, bstansbe, chfoley, dhanak, dlofthou, drichtar, drosa, ehelms, fmariani, fmongiar, ggainey, gmalinko, ibek, istudens, ivassile, iweiss, janstey, jnethert, jrokos, juwatts, mhulan, mnovotny, mosmerov, mposolda, msvehla, nmoumoul, nwallace, osousa, pberan, pcreech, pdelbell, pesilva, pjindal, pmackay, rchan, rgodfrey, rhel-process-autobot, rmartinc, rstancel, rstepani, sausingh, smaestri, smallamp, ssilvert, sthorger, swoodman, tcunning, thjenkin, tmalecek, vdosoudi, vmuzikar, watson-tool-maintainers, yfang
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in Legion of the Bouncy Castle Inc. BC-JAVA bcpg. A specially crafted PGP AEAD (Authenticated Encryption with Associated Data) message with an unbounded chunk size can lead to an excessive consumption of memory. This issue allows an unauthenticated remote attacker to cause memory exhaustion in a JVM, resulting in a denial of service.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-04-15 10:01:40 UTC 
Allocation of resources without limits or throttling vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcpg on all (pg modules).This issue affects BC-JAVA: before 1.84.

Unbounded PGP AEAD chunk size leads to pre-auth resource exhaustion.
Comment 2 errata-xmlrpc 2026-05-05 07:57:13 UTC 
This issue has been addressed in the following products:

  Red Hat Build of Apache Camel 4.14 for Quarkus 3.27

Via RHSA-2026:13631 https://access.redhat.com/errata/RHSA-2026:13631
Comment 3 errata-xmlrpc 2026-05-14 16:55:48 UTC 
This issue has been addressed in the following products:

  Red Hat build of Apache Camel 4.18.1 for Spring Boot 3.5.14

Via RHSA-2026:17668 https://access.redhat.com/errata/RHSA-2026:17668
Comment 4 errata-xmlrpc 2026-05-18 12:12:55 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 8.1

Via RHSA-2026:18059 https://access.redhat.com/errata/RHSA-2026:18059
Comment 5 errata-xmlrpc 2026-05-18 12:19:31 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 9

Via RHSA-2026:18055 https://access.redhat.com/errata/RHSA-2026:18055
Comment 6 errata-xmlrpc 2026-05-18 12:22:22 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 8

Via RHSA-2026:18054 https://access.redhat.com/errata/RHSA-2026:18054