Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
Bouncy Castle Java Cryptography Library Leaks Private Keys
DEBIAN-CVE-2026-5598
Summary
A security weakness in the Bouncy Castle Java library could allow attackers to steal private keys. This affects Bouncy Castle Java versions 2.17.3 and earlier. To protect your data, update to a fixed version of the library as soon as possible.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| Debian:11 | debian | bouncycastle | All versions |
| Debian:12 | debian | bouncycastle | All versions |
| Debian:13 | debian | bouncycastle | All versions |
| Debian:14 | debian | bouncycastle | All versions |
Original title
Covert timing channel vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA core on all (core modules). Non-constant time comparisons risk private key leakage in FrodoKEM. This issue affects ...
Original description
Covert timing channel vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA core on all (core modules). Non-constant time comparisons risk private key leakage in FrodoKEM. This issue affects BC-JAVA: from 2.17.3 before 1.84.
- https://security-tracker.debian.org/tracker/CVE-2026-5598 Vendor Advisory
Published: 16 Apr 2026 · Updated: 16 Apr 2026 · First seen: 16 Apr 2026