Bug#1118945: bouncycastle: CVE-2025-12194

Moritz Mühlenhoff jmm at inutil.org
Sat Oct 25 19:17:03 BST 2025 

Source: bouncycastle
X-Debbugs-CC: team at security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerability was published for bouncycastle.

CVE-2025-12194[0]:
| Uncontrolled Resource Consumption vulnerability in Legion of the
| Bouncy Castle Inc. Bouncy Castle for Java FIPS bc-fips on All (API
| modules), Legion of the Bouncy Castle Inc. Bouncy Castle for Java
| LTS bcprov-lts8on on All (API modules) allows Excessive Allocation.
| This vulnerability is associated with program files
| core/src/main/jdk1.9/org/bouncycastle/crypto/fips/AESNativeCFB.Java,
| core/src/main/jdk1.9/org/bouncycastle/crypto/fips/AESNativeGCM.Java,
| core/src/main/jdk1.9/org/bouncycastle/crypto/fips/SHA256NativeDigest
| .Java, core/src/main/jdk1.9/org/bouncycastle/crypto/fips/AESNativeEn
| gine.Java,
| core/src/main/jdk1.9/org/bouncycastle/crypto/fips/AESNativeCBC.Java,
| core/src/main/jdk1.9/org/bouncycastle/crypto/fips/AESNativeCTR.Java,
| core/src/main/jdk1.9/org/bouncycastle/crypto/engines/AESNativeCFB.Ja
| va, core/src/main/jdk1.9/org/bouncycastle/crypto/engines/AESNativeGC
| M.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/engines/AESNati
| veEngine.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/engines/
| AESNativeCBC.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/engi
| nes/AESNativeGCMSIV.Java, core/src/main/jdk1.9/org/bouncycastle/cryp
| to/engines/AESNativeCCM.Java, core/src/main/jdk1.9/org/bouncycastle/
| crypto/engines/AESNativeCTR.Java, core/src/main/jdk1.9/org/bouncycas
| tle/crypto/digests/SHA256NativeDigest.Java, core/src/main/jdk1.9/org
| /bouncycastle/crypto/digests/SHA224NativeDigest.Java, core/src/main/
| jdk1.9/org/bouncycastle/crypto/digests/SHA3NativeDigest.Java, core/s
| rc/main/jdk1.9/org/bouncycastle/crypto/digests/SHAKENativeDigest.Jav
| a, core/src/main/jdk1.9/org/bouncycastle/crypto/digests/SHA512Native
| Digest.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/digests/SH
| A384NativeDigest.Java.  This issue affects Bouncy Castle for Java
| FIPS: from 2.1.0 through 2.1.1; Bouncy Castle for Java LTS: from
| 2.73.0 through 2.73.7.

https://github.com/bcgit/bc-lts-java/commit/f2776feac0c30230f7a5ac34eb24f5019caf0324
https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902025%E2%80%9012194


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-12194
    https://www.cve.org/CVERecord?id=CVE-2025-12194

Please adjust the affected versions in the BTS as needed.

More information about the pkg-java-maintainers mailing list