CVE-2026-3505: Bouncy Castle Uncontrolled Resource Consumption vulnerability

April 17, 2026 (updated April 18, 2026)

Allocation of resources without limits or throttling vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcpg on all (pg modules). This issue affects BC-JAVA before 1.84.

Unbounded PGP AEAD chunk size leads to pre-auth resource exhaustion.

References

github.com/advisories/GHSA-cj8j-37rh-8475
github.com/bcgit/bc-java
github.com/bcgit/bc-java/commit/dc7530939ffb6cdb57636f3609d98e23b94e71c1
github.com/bcgit/bc-java/wiki/CVE%E2%80%902026%E2%80%903505
nvd.nist.gov/vuln/detail/CVE-2026-3505

Code Behaviors & Features

Detect and mitigate CVE-2026-3505 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →