CVE-2026-5598: Bouncy Castle Has Covert Timing Channel Vulnerability
(updated )
Covert timing channel vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA core on all (core modules). This vulnerability is associated with program files FrodoEngine.Java.
This issue only affects users of the FrodoKEM algorithm involved in the decryption of encapsulations.
This issue affects BC-JAVA: from 1.71 to 1.80.1, 1.81, 1.82 to 1.83.
Fixed versions: 1.80.2, 1.81.1, 1.84
References
- github.com/advisories/GHSA-p93r-85wp-75v3
- github.com/bcgit/bc-java/commit/8692e6b2b191fc4aafa32545c7a78bdb9bf110c5
- github.com/bcgit/bc-java/commit/94abbd56413dfdac651fd878bc60253871ef5e87
- github.com/bcgit/bc-java/wiki/CVE%E2%80%902026%E2%80%905598
- github.com/bcgit/bc-java/wiki/CVE-2026-5598
- nvd.nist.gov/vuln/detail/CVE-2026-5598
Code Behaviors & Features
Detect and mitigate CVE-2026-5598 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →