CVE-2026-5598: Bouncy Castle Has Covert Timing Channel Vulnerability

April 17, 2026 (updated April 25, 2026)

Covert timing channel vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA core on all (core modules). This vulnerability is associated with program files FrodoEngine.Java. This issue affects BC-JAVA: from 1.71 before 1.84.

References

github.com/advisories/GHSA-p93r-85wp-75v3
github.com/bcgit/bc-java
github.com/bcgit/bc-java/commit/8692e6b2b191fc4aafa32545c7a78bdb9bf110c5
github.com/bcgit/bc-java/commit/94abbd56413dfdac651fd878bc60253871ef5e87
github.com/bcgit/bc-java/wiki/CVE-2026-5598
nvd.nist.gov/vuln/detail/CVE-2026-5598

Code Behaviors & Features

Detect and mitigate CVE-2026-5598 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →