Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
Bouncy Castle Java PGP Module Can Cause Server Overload
DEBIAN-CVE-2026-3505
Summary
A security issue in the Bouncy Castle Java PGP module can cause a server to run out of resources if it processes a large number of PGP encrypted messages. This affects Bouncy Castle Java versions before 1.84. To protect your system, update to the latest version of the module.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| Debian:11 | debian | bouncycastle | All versions |
| Debian:12 | debian | bouncycastle | All versions |
| Debian:13 | debian | bouncycastle | All versions |
| Debian:14 | debian | bouncycastle | All versions |
Original title
Allocation of resources without limits or throttling vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcpg on all (pg modules).This issue affects BC-JAVA: before 1.84. Unbounded PGP AEAD ...
Original description
Allocation of resources without limits or throttling vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcpg on all (pg modules).This issue affects BC-JAVA: before 1.84. Unbounded PGP AEAD chunk size leads to pre-auth resource exhaustion.
- https://security-tracker.debian.org/tracker/CVE-2026-3505 Vendor Advisory
Published: 17 Apr 2026 · Updated: 17 Apr 2026 · First seen: 17 Apr 2026