CVE-2026-3505

Description

Allocation of resources without limits or throttling, Uncontrolled Resource Consumption vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcpg on all (pg modules). This vulnerability is associated with program files AEADEncDataPacket.Java, BcAEADUtil.Java, JceAEADUtil.Java, OperatorHelper.Java. This issue affects BC-JAVA: from 1.74 before 1.80.2, from 1.81 before 1.81.1, from 1.82 before 1.84.

How to fix CVE-2026-3505

To remediate CVE-2026-3505, upgrade the affected package to a fixed version below.

• Debian/bouncycastle—no fix listed
• —no fix listed
• —upgrade to 1.84 or later
• —no fix listed
• —no fix listed
• —upgrade to 1.84 or later
• —no fix listed
• —upgrade to 1.84 or later

Is CVE-2026-3505 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (8)

• from 0
• from 0, <= 130
• from 0, < 1.84
• from 0, <= 1.46
• from 0, <= 1.70
• from 0, < 1.84
• from 0, <= 1.46
• from 0, < 1.84

CVSS scores

References (5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-3505
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2026-3505
• PATCHgithub.com/bcgit/bc-java
• WEBgithub.com/bcgit/bc-java/commit/dc7530939ffb6cdb57636f3609d98e23b94e71c1