GHSA-p93r-85wp-75v3High

Bouncy Castle Has Covert Timing Channel Vulnerability

Published
April 17, 2026
Last Modified
June 19, 2026

🔗 CVE IDs covered (1)

📋 Description

Covert timing channel vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA core on all (core modules). This vulnerability is associated with program files FrodoEngine.Java.

This issue only affects users of the FrodoKEM algorithm involved in the decryption of encapsulations.

This issue affects BC-JAVA: from 1.71 to 1.80.1, 1.81, 1.82 to 1.83.

Fixed versions: 1.80.2, 1.81.1, 1.84

🎯 Affected products3

  • maven/org.bouncycastle:bcprov-jdk15to18:>= 1.71, < 1.80.2
  • maven/org.bouncycastle:bcprov-jdk14:>= 1.81, < 1.81.1
  • maven/org.bouncycastle:bcprov-jdk18on:>= 1.82, < 1.84

🔗 References (6)