CVE‐2026‐3505

Jump to bottom

David Hook edited this page Apr 21, 2026 · 6 revisions

Title: Unbounded PGP AEAD chunk size leads to pre-auth resource exhaustion.

Issue affecting: BC 1.74 to BC 1.83

Fixed versions: BC 1.84

Platform affected: Java 4 and later.

A crafted AEAD chunk header could lead to memory exhaustion in a JVM.

Fixed with commit dc7530939ffb6cdb57636f3609d98e23b94e71c1.