CVE-2026-5598
HIGHNon-constant time comparisons risk private key leakage in FrodoKEM.
Title source: cnaDescription
Covert timing channel vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA core on all (core modules). This vulnerability is associated with program files FrodoEngine.Java. This issue affects BC-JAVA: from 1.71 before 1.80.2, from 1.81 before 1.81.1, from 1.82 before 1.84.
References (12)
Core 12
Core References
Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:12267
Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:12269
Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:18054
Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:18055
Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:18059
Vendor Advisory
https://access.redhat.com/security/cve/CVE-2026-5598
Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2458635
Vendor Advisory vendor-advisory
https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902026%E2%80%905598
Scores
CVSS v3
7.5
EPSS
0.0069
EPSS Percentile
48.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-385
Status
published
Products (9)
Legion of the Bouncy Castle Inc./BC-JAVA
1.71 - 1.80.2
Legion of the Bouncy Castle Inc./BC-JAVA
1.71 - 1.84
Legion of the Bouncy Castle Inc./BC-JAVA
1.81 - 1.80.1
Legion of the Bouncy Castle Inc./BC-JAVA
1.81 - 1.81.1
Legion of the Bouncy Castle Inc./BC-JAVA
1.82 - 1.84
Legion of the Bouncy Castle Inc./BC-JAVA
2.17.3 - 1.84
org.bouncycastle/bcprov-jdk14
1.81 - 1.81.1Maven
org.bouncycastle/bcprov-jdk15to18
1.71 - 1.80.2Maven
org.bouncycastle/bcprov-jdk18on
1.82 - 1.84Maven
Published
Apr 15, 2026
Tracked Since
Apr 15, 2026