{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-12194", "assignerOrgId": "91579145-5d7b-4cc5-b925-a0262ff19630", "state": "PUBLISHED", "assignerShortName": "bcorg", "dateReserved": "2025-10-24T20:54:20.444Z", "datePublished": "2025-10-24T22:51:36.942Z", "dateUpdated": "2025-10-27T15:21:41.167Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://repo1.maven.org/maven2/org/bouncycastle", "defaultStatus": "unaffected", "modules": ["API"], "packageName": "bc-fips", "platforms": ["All"], "product": "Bouncy Castle for Java FIPS", "programFiles": ["core/src/main/jdk1.9/org/bouncycastle/crypto/fips/AESNativeCFB.java", "core/src/main/jdk1.9/org/bouncycastle/crypto/fips/AESNativeGCM.java", "core/src/main/jdk1.9/org/bouncycastle/crypto/fips/SHA256NativeDigest.java", "core/src/main/jdk1.9/org/bouncycastle/crypto/fips/AESNativeEngine.java", "core/src/main/jdk1.9/org/bouncycastle/crypto/fips/AESNativeCBC.java", "core/src/main/jdk1.9/org/bouncycastle/crypto/fips/AESNativeCTR.java"], "repo": "ssh://bcgit@git.bouncycastle.org:bc-fips-2.1.X-java.git", "vendor": "Legion of the Bouncy Castle Inc.", "versions": [{"lessThanOrEqual": "2.1.1", "status": "affected", "version": "2.1.0", "versionType": "maven"}]}, {"collectionURL": "https://repo1.maven.org/maven2/org/bouncycastle", "defaultStatus": "unaffected", "modules": ["API"], "packageName": "bcprov-lts8on", "platforms": ["All"], "product": "Bouncy Castle for Java LTS", "programFiles": ["core/src/main/jdk1.9/org/bouncycastle/crypto/engines/AESNativeCFB.java", "core/src/main/jdk1.9/org/bouncycastle/crypto/engines/AESNativeGCM.java", "core/src/main/jdk1.9/org/bouncycastle/crypto/engines/AESNativeEngine.java", "core/src/main/jdk1.9/org/bouncycastle/crypto/engines/AESNativeCBC.java", "core/src/main/jdk1.9/org/bouncycastle/crypto/engines/AESNativeGCMSIV.java", "core/src/main/jdk1.9/org/bouncycastle/crypto/engines/AESNativeCCM.java", "core/src/main/jdk1.9/org/bouncycastle/crypto/engines/AESNativeCTR.java", "core/src/main/jdk1.9/org/bouncycastle/crypto/digests/SHA256NativeDigest.java", "core/src/main/jdk1.9/org/bouncycastle/crypto/digests/SHA224NativeDigest.java", "core/src/main/jdk1.9/org/bouncycastle/crypto/digests/SHA3NativeDigest.java", "core/src/main/jdk1.9/org/bouncycastle/crypto/digests/SHAKENativeDigest.java", "core/src/main/jdk1.9/org/bouncycastle/crypto/digests/SHA512NativeDigest.java", "core/src/main/jdk1.9/org/bouncycastle/crypto/digests/SHA384NativeDigest.java"], "repo": "https://github.com/bcgit/bc-lts-java", "vendor": "Legion of the Bouncy Castle Inc.", "versions": [{"lessThanOrEqual": "2.73.7", "status": "affected", "version": "2.73.0", "versionType": "maven"}]}], "cpeApplicability": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:legion_of_the_bouncy_castle_inc.:bouncy_castle_for_java_fips:*:*:all:*:*:*:*:*", "versionEndIncluding": "2.1.1", "versionStartIncluding": "2.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:legion_of_the_bouncy_castle_inc.:bouncy_castle_for_java_lts:*:*:all:*:*:*:*:*", "versionEndIncluding": "2.73.7", "versionStartIncluding": "2.73.0", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "OR"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Uncontrolled Resource Consumption vulnerability in Legion of the Bouncy Castle Inc. Bouncy Castle for Java FIPS bc-fips on All (API modules), Legion of the Bouncy Castle Inc. Bouncy Castle for Java LTS bcprov-lts8on on All (API modules) allows Excessive Allocation.<p> This vulnerability is associated with program files <tt>core/src/main/jdk1.9/org/bouncycastle/crypto/fips/AESNativeCFB.Java</tt>, <tt>core/src/main/jdk1.9/org/bouncycastle/crypto/fips/AESNativeGCM.Java</tt>, <tt>core/src/main/jdk1.9/org/bouncycastle/crypto/fips/SHA256NativeDigest.Java</tt>, <tt>core/src/main/jdk1.9/org/bouncycastle/crypto/fips/AESNativeEngine.Java</tt>, <tt>core/src/main/jdk1.9/org/bouncycastle/crypto/fips/AESNativeCBC.Java</tt>, <tt>core/src/main/jdk1.9/org/bouncycastle/crypto/fips/AESNativeCTR.Java</tt>, <tt>core/src/main/jdk1.9/org/bouncycastle/crypto/engines/AESNativeCFB.Java</tt>, <tt>core/src/main/jdk1.9/org/bouncycastle/crypto/engines/AESNativeGCM.Java</tt>, <tt>core/src/main/jdk1.9/org/bouncycastle/crypto/engines/AESNativeEngine.Java</tt>, <tt>core/src/main/jdk1.9/org/bouncycastle/crypto/engines/AESNativeCBC.Java</tt>, <tt>core/src/main/jdk1.9/org/bouncycastle/crypto/engines/AESNativeGCMSIV.Java</tt>, <tt>core/src/main/jdk1.9/org/bouncycastle/crypto/engines/AESNativeCCM.Java</tt>, <tt>core/src/main/jdk1.9/org/bouncycastle/crypto/engines/AESNativeCTR.Java</tt>, <tt>core/src/main/jdk1.9/org/bouncycastle/crypto/digests/SHA256NativeDigest.Java</tt>, <tt>core/src/main/jdk1.9/org/bouncycastle/crypto/digests/SHA224NativeDigest.Java</tt>, <tt>core/src/main/jdk1.9/org/bouncycastle/crypto/digests/SHA3NativeDigest.Java</tt>, <tt>core/src/main/jdk1.9/org/bouncycastle/crypto/digests/SHAKENativeDigest.Java</tt>, <tt>core/src/main/jdk1.9/org/bouncycastle/crypto/digests/SHA512NativeDigest.Java</tt>, <tt>core/src/main/jdk1.9/org/bouncycastle/crypto/digests/SHA384NativeDigest.Java</tt>.</p><p>This issue affects Bouncy Castle for Java FIPS: from 2.1.0 through 2.1.1; Bouncy Castle for Java LTS: from 2.73.0 through 2.73.7.</p>"}], "value": "Uncontrolled Resource Consumption vulnerability in Legion of the Bouncy Castle Inc. Bouncy Castle for Java FIPS bc-fips on All (API modules), Legion of the Bouncy Castle Inc. Bouncy Castle for Java LTS bcprov-lts8on on All (API modules) allows Excessive Allocation. This vulnerability is associated with program files core/src/main/jdk1.9/org/bouncycastle/crypto/fips/AESNativeCFB.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/fips/AESNativeGCM.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/fips/SHA256NativeDigest.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/fips/AESNativeEngine.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/fips/AESNativeCBC.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/fips/AESNativeCTR.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/engines/AESNativeCFB.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/engines/AESNativeGCM.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/engines/AESNativeEngine.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/engines/AESNativeCBC.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/engines/AESNativeGCMSIV.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/engines/AESNativeCCM.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/engines/AESNativeCTR.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/digests/SHA256NativeDigest.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/digests/SHA224NativeDigest.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/digests/SHA3NativeDigest.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/digests/SHAKENativeDigest.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/digests/SHA512NativeDigest.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/digests/SHA384NativeDigest.Java.\n\nThis issue affects Bouncy Castle for Java FIPS: from 2.1.0 through 2.1.1; Bouncy Castle for Java LTS: from 2.73.0 through 2.73.7."}], "impacts": [{"capecId": "CAPEC-130", "descriptions": [{"lang": "en", "value": "CAPEC-130 Excessive Allocation"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NO", "Recovery": "USER", "Safety": "PRESENT", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "LOCAL", "baseScore": 5.9, "baseSeverity": "MEDIUM", "privilegesRequired": "NONE", "providerUrgency": "AMBER", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "CONCENTRATED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/S:P/AU:N/R:U/V:C/RE:M/U:Amber", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "MODERATE"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "91579145-5d7b-4cc5-b925-a0262ff19630", "shortName": "bcorg", "dateUpdated": "2025-10-24T23:01:19.091Z"}, "references": [{"url": "https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902025%E2%80%9012194"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.4.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-10-27T15:21:29.159919Z", "id": "CVE-2025-12194", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-27T15:21:41.167Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12194", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-10-27T15:21:29.159919Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-27T15:21:35.931Z"}}], "cna": {"source": {"discovery": "UNKNOWN"}, "impacts": [{"capecId": "CAPEC-130", "descriptions": [{"lang": "en", "value": "CAPEC-130 Excessive Allocation"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "PRESENT", "version": "4.0", "Recovery": "USER", "baseScore": 5.9, "Automatable": "NO", "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "valueDensity": "CONCENTRATED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/S:P/AU:N/R:U/V:C/RE:M/U:Amber", "providerUrgency": "AMBER", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "MODERATE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "ssh://bcgit@git.bouncycastle.org:bc-fips-2.1.X-java.git", "vendor": "Legion of the Bouncy Castle Inc.", "modules": ["API"], "product": "Bouncy Castle for Java FIPS", "versions": [{"status": "affected", "version": "2.1.0", "versionType": "maven", "lessThanOrEqual": "2.1.1"}], "platforms": ["All"], "packageName": "bc-fips", "programFiles": ["core/src/main/jdk1.9/org/bouncycastle/crypto/fips/AESNativeCFB.java", "core/src/main/jdk1.9/org/bouncycastle/crypto/fips/AESNativeGCM.java", "core/src/main/jdk1.9/org/bouncycastle/crypto/fips/SHA256NativeDigest.java", "core/src/main/jdk1.9/org/bouncycastle/crypto/fips/AESNativeEngine.java", "core/src/main/jdk1.9/org/bouncycastle/crypto/fips/AESNativeCBC.java", "core/src/main/jdk1.9/org/bouncycastle/crypto/fips/AESNativeCTR.java"], "collectionURL": "https://repo1.maven.org/maven2/org/bouncycastle", "defaultStatus": "unaffected"}, {"repo": "https://github.com/bcgit/bc-lts-java", "vendor": "Legion of the Bouncy Castle Inc.", "modules": ["API"], "product": "Bouncy Castle for Java LTS", "versions": [{"status": "affected", "version": "2.73.0", "versionType": "maven", "lessThanOrEqual": "2.73.7"}], "platforms": ["All"], "packageName": "bcprov-lts8on", "programFiles": ["core/src/main/jdk1.9/org/bouncycastle/crypto/engines/AESNativeCFB.java", "core/src/main/jdk1.9/org/bouncycastle/crypto/engines/AESNativeGCM.java", "core/src/main/jdk1.9/org/bouncycastle/crypto/engines/AESNativeEngine.java", "core/src/main/jdk1.9/org/bouncycastle/crypto/engines/AESNativeCBC.java", "core/src/main/jdk1.9/org/bouncycastle/crypto/engines/AESNativeGCMSIV.java", "core/src/main/jdk1.9/org/bouncycastle/crypto/engines/AESNativeCCM.java", "core/src/main/jdk1.9/org/bouncycastle/crypto/engines/AESNativeCTR.java", "core/src/main/jdk1.9/org/bouncycastle/crypto/digests/SHA256NativeDigest.java", "core/src/main/jdk1.9/org/bouncycastle/crypto/digests/SHA224NativeDigest.java", "core/src/main/jdk1.9/org/bouncycastle/crypto/digests/SHA3NativeDigest.java", "core/src/main/jdk1.9/org/bouncycastle/crypto/digests/SHAKENativeDigest.java", "core/src/main/jdk1.9/org/bouncycastle/crypto/digests/SHA512NativeDigest.java", "core/src/main/jdk1.9/org/bouncycastle/crypto/digests/SHA384NativeDigest.java"], "collectionURL": "https://repo1.maven.org/maven2/org/bouncycastle", "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902025%E2%80%9012194"}], "x_generator": {"engine": "Vulnogram 0.4.0"}, "descriptions": [{"lang": "en", "value": "Uncontrolled Resource Consumption vulnerability in Legion of the Bouncy Castle Inc. Bouncy Castle for Java FIPS bc-fips on All (API modules), Legion of the Bouncy Castle Inc. Bouncy Castle for Java LTS bcprov-lts8on on All (API modules) allows Excessive Allocation. This vulnerability is associated with program files core/src/main/jdk1.9/org/bouncycastle/crypto/fips/AESNativeCFB.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/fips/AESNativeGCM.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/fips/SHA256NativeDigest.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/fips/AESNativeEngine.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/fips/AESNativeCBC.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/fips/AESNativeCTR.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/engines/AESNativeCFB.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/engines/AESNativeGCM.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/engines/AESNativeEngine.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/engines/AESNativeCBC.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/engines/AESNativeGCMSIV.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/engines/AESNativeCCM.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/engines/AESNativeCTR.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/digests/SHA256NativeDigest.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/digests/SHA224NativeDigest.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/digests/SHA3NativeDigest.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/digests/SHAKENativeDigest.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/digests/SHA512NativeDigest.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/digests/SHA384NativeDigest.Java.\n\nThis issue affects Bouncy Castle for Java FIPS: from 2.1.0 through 2.1.1; Bouncy Castle for Java LTS: from 2.73.0 through 2.73.7.", "supportingMedia": [{"type": "text/html", "value": "Uncontrolled Resource Consumption vulnerability in Legion of the Bouncy Castle Inc. Bouncy Castle for Java FIPS bc-fips on All (API modules), Legion of the Bouncy Castle Inc. Bouncy Castle for Java LTS bcprov-lts8on on All (API modules) allows Excessive Allocation.<p> This vulnerability is associated with program files <tt>core/src/main/jdk1.9/org/bouncycastle/crypto/fips/AESNativeCFB.Java</tt>, <tt>core/src/main/jdk1.9/org/bouncycastle/crypto/fips/AESNativeGCM.Java</tt>, <tt>core/src/main/jdk1.9/org/bouncycastle/crypto/fips/SHA256NativeDigest.Java</tt>, <tt>core/src/main/jdk1.9/org/bouncycastle/crypto/fips/AESNativeEngine.Java</tt>, <tt>core/src/main/jdk1.9/org/bouncycastle/crypto/fips/AESNativeCBC.Java</tt>, <tt>core/src/main/jdk1.9/org/bouncycastle/crypto/fips/AESNativeCTR.Java</tt>, <tt>core/src/main/jdk1.9/org/bouncycastle/crypto/engines/AESNativeCFB.Java</tt>, <tt>core/src/main/jdk1.9/org/bouncycastle/crypto/engines/AESNativeGCM.Java</tt>, <tt>core/src/main/jdk1.9/org/bouncycastle/crypto/engines/AESNativeEngine.Java</tt>, <tt>core/src/main/jdk1.9/org/bouncycastle/crypto/engines/AESNativeCBC.Java</tt>, <tt>core/src/main/jdk1.9/org/bouncycastle/crypto/engines/AESNativeGCMSIV.Java</tt>, <tt>core/src/main/jdk1.9/org/bouncycastle/crypto/engines/AESNativeCCM.Java</tt>, <tt>core/src/main/jdk1.9/org/bouncycastle/crypto/engines/AESNativeCTR.Java</tt>, <tt>core/src/main/jdk1.9/org/bouncycastle/crypto/digests/SHA256NativeDigest.Java</tt>, <tt>core/src/main/jdk1.9/org/bouncycastle/crypto/digests/SHA224NativeDigest.Java</tt>, <tt>core/src/main/jdk1.9/org/bouncycastle/crypto/digests/SHA3NativeDigest.Java</tt>, <tt>core/src/main/jdk1.9/org/bouncycastle/crypto/digests/SHAKENativeDigest.Java</tt>, <tt>core/src/main/jdk1.9/org/bouncycastle/crypto/digests/SHA512NativeDigest.Java</tt>, <tt>core/src/main/jdk1.9/org/bouncycastle/crypto/digests/SHA384NativeDigest.Java</tt>.</p><p>This issue affects Bouncy Castle for Java FIPS: from 2.1.0 through 2.1.1; Bouncy Castle for Java LTS: from 2.73.0 through 2.73.7.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:legion_of_the_bouncy_castle_inc.:bouncy_castle_for_java_fips:*:*:all:*:*:*:*:*", "vulnerable": true, "versionEndIncluding": "2.1.1", "versionStartIncluding": "2.1.0"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:legion_of_the_bouncy_castle_inc.:bouncy_castle_for_java_lts:*:*:all:*:*:*:*:*", "vulnerable": true, "versionEndIncluding": "2.73.7", "versionStartIncluding": "2.73.0"}], "operator": "OR"}], "operator": "OR"}], "providerMetadata": {"orgId": "91579145-5d7b-4cc5-b925-a0262ff19630", "shortName": "bcorg", "dateUpdated": "2025-10-24T23:01:19.091Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12194", "state": "PUBLISHED", "dateUpdated": "2025-10-27T15:21:41.167Z", "dateReserved": "2025-10-24T20:54:20.444Z", "assignerOrgId": "91579145-5d7b-4cc5-b925-a0262ff19630", "datePublished": "2025-10-24T22:51:36.942Z", "assignerShortName": "bcorg"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Uncontrolled Resource Consumption vulnerability in Legion of the Bouncy Castle Inc. Bouncy Castle for Java FIPS bc-fips on All (API modules), Legion of the Bouncy Castle Inc. Bouncy Castle for Java LTS bcprov-lts8on on All (API modules) allows Excessive Allocation. This vulnerability is associated with program files core/src/main/jdk1.9/org/bouncycastle/crypto/fips/AESNativeCFB.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/fips/AESNativeGCM.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/fips/SHA256NativeDigest.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/fips/AESNativeEngine.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/fips/AESNativeCBC.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/fips/AESNativeCTR.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/engines/AESNativeCFB.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/engines/AESNativeGCM.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/engines/AESNativeEngine.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/engines/AESNativeCBC.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/engines/AESNativeGCMSIV.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/engines/AESNativeCCM.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/engines/AESNativeCTR.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/digests/SHA256NativeDigest.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/digests/SHA224NativeDigest.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/digests/SHA3NativeDigest.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/digests/SHAKENativeDigest.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/digests/SHA512NativeDigest.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/digests/SHA384NativeDigest.Java.\n\nThis issue affects Bouncy Castle for Java FIPS: from 2.1.0 through 2.1.1; Bouncy Castle for Java LTS: from 2.73.0 through 2.73.7."}], "id": "CVE-2025-12194", "lastModified": "2025-10-27T13:20:15.637", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NO", "Recovery": "USER", "Safety": "PRESENT", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "AMBER", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "CONCENTRATED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:N/R:U/V:C/RE:M/U:Amber", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "MODERATE"}, "source": "91579145-5d7b-4cc5-b925-a0262ff19630", "type": "Secondary"}]}, "published": "2025-10-24T23:15:39.277", "references": [{"source": "91579145-5d7b-4cc5-b925-a0262ff19630", "url": "https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902025%E2%80%9012194"}], "sourceIdentifier": "91579145-5d7b-4cc5-b925-a0262ff19630", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "91579145-5d7b-4cc5-b925-a0262ff19630", "type": "Secondary"}]}

{"bugzilla": {"description": "bcprov-lts8on: bc-fips: Uncontrolled Resource Consumption vulnerability in Bouncy Castle", "id": "2406287", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2406287"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "status": "draft"}, "cwe": "CWE-400", "details": ["Uncontrolled Resource Consumption vulnerability in Legion of the Bouncy Castle Inc. Bouncy Castle for Java FIPS bc-fips on All (API modules), Legion of the Bouncy Castle Inc. Bouncy Castle for Java LTS bcprov-lts8on on All (API modules) allows Excessive Allocation. This vulnerability is associated with program files core/src/main/jdk1.9/org/bouncycastle/crypto/fips/AESNativeCFB.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/fips/AESNativeGCM.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/fips/SHA256NativeDigest.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/fips/AESNativeEngine.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/fips/AESNativeCBC.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/fips/AESNativeCTR.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/engines/AESNativeCFB.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/engines/AESNativeGCM.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/engines/AESNativeEngine.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/engines/AESNativeCBC.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/engines/AESNativeGCMSIV.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/engines/AESNativeCCM.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/engines/AESNativeCTR.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/digests/SHA256NativeDigest.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/digests/SHA224NativeDigest.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/digests/SHA3NativeDigest.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/digests/SHAKENativeDigest.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/digests/SHA512NativeDigest.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/digests/SHA384NativeDigest.Java.\nThis issue affects Bouncy Castle for Java FIPS: from 2.1.0 through 2.1.1; Bouncy Castle for Java LTS: from 2.73.0 through 2.73.7."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2025-12194", "package_state": [{"cpe": "cpe:/a:redhat:apicurio_registry:3", "fix_state": "Fix deferred", "package_name": "bcprov-lts8on", "product_name": "Red Hat build of Apicurio Registry 3"}, {"cpe": "cpe:/a:redhat:debezium:3", "fix_state": "Fix deferred", "package_name": "bcprov-lts8on", "product_name": "Red Hat build of Debezium 3"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Fix deferred", "package_name": "bc-fips", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Fix deferred", "package_name": "kubernetes-client-init-bc-fips", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Fix deferred", "package_name": "bc-fips", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}], "public_date": "2025-10-24T22:51:36Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-12194\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-12194\nhttps://github.com/bcgit/bc-java/wiki/CVE%E2%80%902025%E2%80%9012194"], "threat_severity": "Moderate"}