Possible DOS in processing large name constraint structures in PKIXCertPathReveiwer

6.3 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/S:P/R:U/RE:M/U:Amber

Description

Allocation of Resources Without Limits or Throttling vulnerability in Legion of the Bouncy Castle Inc. Bouncy Castle for Java bcpkix, bcprov, bcpkix-fips on All (API modules) allows Excessive Allocation. This vulnerability is associated with program files https://github.Com/bcgit/bc-java/blob/main/pkix/src/main/java/org/bouncycastle/pkix/jcajce/PKIXCertP... https://github.Com/bcgit/bc-java/blob/main/pkix/src/main/java/org/bouncycastle/pkix/jcajce/PKIXCertPathReviewer.java , https://github.Com/bcgit/bc-java/blob/main/prov/src/main/java/org/bouncycastle/x509/PKIXCertPathRevi... https://github.Com/bcgit/bc-java/blob/main/prov/src/main/java/org/bouncycastle/x509/PKIXCertPathReviewer.java .

This issue affects Bouncy Castle for Java: from BC 1.44 through 1.78, from BCPKIX FIPS 1.0.0 through 1.0.7, from BCPKIX FIPS 2.0.0 through 2.0.7.

Basic Information

ID CVE-2025-8916

Source bcorg

Published Aug 13, 2025 at 09:31

Modified Aug 13, 2025 at 09:43

Affected Product

Vendor Legion of the Bouncy Castle Inc.

Product Bouncy Castle for Java

Version BC 1.44

Affected Versions Legion of the Bouncy Castle Inc. Bouncy Castle for Java BC 1.44
Legion of the Bouncy Castle Inc. Bouncy Castle for Java BCPKIX FIPS 1.0.0
Legion of the Bouncy Castle Inc. Bouncy Castle for Java BCPKIX FIPS 2.0.0

CWE Classification

CWE-770

References

github.com /bcgit/bc-java/wiki/CVE%E2%80%902025%E2%80%908916

{
    "lastseen": "",
    "description": "Allocation of Resources Without Limits or Throttling vulnerability in Legion of the Bouncy Castle Inc. Bouncy Castle for Java bcpkix, bcprov, bcpkix-fips on All (API modules) allows Excessive Allocation. This vulnerability is associated with program files  https://github.Com/bcgit/bc-java/blob/main/pkix/src/main/java/org/bouncycastle/pkix/jcajce/PKIXCertP... https://github.Com/bcgit/bc-java/blob/main/pkix/src/main/java/org/bouncycastle/pkix/jcajce/PKIXCertPathReviewer.java ,  https://github.Com/bcgit/bc-java/blob/main/prov/src/main/java/org/bouncycastle/x509/PKIXCertPathRevi... https://github.Com/bcgit/bc-java/blob/main/prov/src/main/java/org/bouncycastle/x509/PKIXCertPathReviewer.java .\n\nThis issue affects Bouncy Castle for Java: from BC 1.44 through 1.78, from BCPKIX FIPS 1.0.0 through 1.0.7, from BCPKIX FIPS 2.0.0 through 2.0.7.",
    "published": "2025-08-13T09:31:21.181Z",
    "modified": "2025-08-13T09:43:33.772Z",
    "type": "cve",
    "title": "Possible DOS in processing large name constraint structures in PKIXCertPathReveiwer",
    "source": "bcorg",
    "references": "https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902025%E2%80%908916",
    "id": "CVE-2025-8916",
    "bulletinFamily": "",
    "cwe": [
        "CWE-770"
    ],
    "cvelist": null,
    "sourceData": "Legion of the Bouncy Castle Inc. Bouncy Castle for Java BC 1.44\nLegion of the Bouncy Castle Inc. Bouncy Castle for Java BCPKIX FIPS 1.0.0\nLegion of the Bouncy Castle Inc. Bouncy Castle for Java BCPKIX FIPS 2.0.0",
    "sourceHref": "",
    "cvss": {
        "score": 6.3,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/S:P/R:U/RE:M/U:Amber",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Bouncy Castle for Java",
    "version": "BC 1.44",
    "vendor": "Legion of the Bouncy Castle Inc.",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Possible DOS in processing large name constraint structures in PKIXCertPathReveiwer_CVE-2025-8916