CVE-2026-3505 - High Severity Vulnerability
Vulnerable Library - bcpg-jdk18on-1.80.jar
The Bouncy Castle Java APIs for the OpenPGP Protocol. The APIs are designed primarily to be used in conjunction with the BC Java provider but may also be used with other providers providing cryptographic services.
Library home page: https://www.bouncycastle.org/download/bouncy-castle-java/
Path to dependency file: /OPENAPI-REST-API/openapi-client/kotlin/build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.bouncycastle/bcpg-jdk18on/1.80/163889a825393854dbe7dc52f1a8667e715e9859/bcpg-jdk18on-1.80.jar
Dependency Hierarchy:
- ❌ bcpg-jdk18on-1.80.jar (Vulnerable Library)
Found in HEAD commit: 1f70e2feccb7006c8d32cc7d4fe62f5cf5e5c34d
Found in base branch: master
Vulnerability Details
Allocation of resources without limits or throttling, Uncontrolled Resource Consumption vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcpg on all (pg modules). This vulnerability is associated with program files AEADEncDataPacket.Java, BcAEADUtil.Java, JceAEADUtil.Java, OperatorHelper.Java.
This issue affects BC-JAVA: from 1.74 before 1.84.
Publish Date: 2026-04-15
URL: CVE-2026-3505
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-04-15
Fix Resolution: 1.84
Step up your Open Source Security Game with Mend here
CVE-2026-3505 - High Severity Vulnerability
The Bouncy Castle Java APIs for the OpenPGP Protocol. The APIs are designed primarily to be used in conjunction with the BC Java provider but may also be used with other providers providing cryptographic services.
Library home page: https://www.bouncycastle.org/download/bouncy-castle-java/
Path to dependency file: /OPENAPI-REST-API/openapi-client/kotlin/build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.bouncycastle/bcpg-jdk18on/1.80/163889a825393854dbe7dc52f1a8667e715e9859/bcpg-jdk18on-1.80.jar
Dependency Hierarchy:
Found in HEAD commit: 1f70e2feccb7006c8d32cc7d4fe62f5cf5e5c34d
Found in base branch: master
Allocation of resources without limits or throttling, Uncontrolled Resource Consumption vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcpg on all (pg modules). This vulnerability is associated with program files AEADEncDataPacket.Java, BcAEADUtil.Java, JceAEADUtil.Java, OperatorHelper.Java.
This issue affects BC-JAVA: from 1.74 before 1.84.
Publish Date: 2026-04-15
URL: CVE-2026-3505
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Type: Upgrade version
Release Date: 2026-04-15
Fix Resolution: 1.84
Step up your Open Source Security Game with Mend here