CVE-2025-8916

MEDIUM

BC Java 1.44-1.78 and BCPKIX FIPS 1.0.0-1.0.7, 2.0.0-2.0.7 - Excessive Allocation in PKIXCertPathReviewer

Title source: llm

Description

Allocation of Resources Without Limits or Throttling vulnerability in Legion of the Bouncy Castle Inc. BC Java bcpkix on All (API modules), Legion of the Bouncy Castle Inc. BC Java bcprov on All (API modules), Legion of the Bouncy Castle Inc. BCPKIX FIPS bcpkix-fips on All (API modules) allows Excessive Allocation. This vulnerability is associated with program files https://github.Com/bcgit/bc-java/blob/main/pkix/src/main/java/org/bouncycastle/pkix/jcajce/PKIXCertPathReviewer.Java, https://github.Com/bcgit/bc-java/blob/main/prov/src/main/java/org/bouncycastle/x509/PKIXCertPathReviewer.Java. This issue affects BC Java: from 1.44 through 1.78; BC Java: from 1.44 through 1.78; BCPKIX FIPS: from 1.0.0 through 1.0.7, from 2.0.0 through 2.0.7.

References (2)

Core 2

Core References

Third Party Advisory

https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902025%E2%80%908916

Vendor Advisory

https://cert-portal.siemens.com/productcert/html/ssa-032379.html

Scores

CVSS v4 6.3

EPSS 0.0043

EPSS Percentile 34.2%

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:X/R:U/V:X/RE:M/U:Amber

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-770

Status published

Products (8)

Legion of the Bouncy Castle Inc./BC Java 1.44 - 1.78

Legion of the Bouncy Castle Inc./BCPKIX FIPS 1.0.0 - 1.0.7

Legion of the Bouncy Castle Inc./BCPKIX FIPS 2.0.0 - 2.0.7

org.bouncycastle/bcpkix-fips 1.0.0 - 1.0.8Maven

org.bouncycastle/bcpkix-fips 2.0.0 - 2.0.8Maven

org.bouncycastle/bcpkix-jdk15on 1.44 - 1.79Maven

org.bouncycastle/bcpkix-jdk15to18 1.44 - 1.79Maven

org.bouncycastle/bcpkix-jdk18on 1.44 - 1.79Maven

Published Aug 13, 2025

Tracked Since Feb 18, 2026