CVE-2026-5598

HIGH

Non-constant time comparisons risk private key leakage in FrodoKEM.

Title source: cna
STIX 2.1

Description

Covert timing channel vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA core on all (core modules). This vulnerability is associated with program files FrodoEngine.Java. This issue affects BC-JAVA: from 1.71 before 1.80.2, from 1.81 before 1.81.1, from 1.82 before 1.84.

Scores

CVSS v3 7.5
EPSS 0.0069
EPSS Percentile 48.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Details

CWE
CWE-385
Status published
Products (9)
Legion of the Bouncy Castle Inc./BC-JAVA 1.71 - 1.80.2
Legion of the Bouncy Castle Inc./BC-JAVA 1.71 - 1.84
Legion of the Bouncy Castle Inc./BC-JAVA 1.81 - 1.80.1
Legion of the Bouncy Castle Inc./BC-JAVA 1.81 - 1.81.1
Legion of the Bouncy Castle Inc./BC-JAVA 1.82 - 1.84
Legion of the Bouncy Castle Inc./BC-JAVA 2.17.3 - 1.84
org.bouncycastle/bcprov-jdk14 1.81 - 1.81.1Maven
org.bouncycastle/bcprov-jdk15to18 1.71 - 1.80.2Maven
org.bouncycastle/bcprov-jdk18on 1.82 - 1.84Maven
Published Apr 15, 2026
Tracked Since Apr 15, 2026