Germany's Federal Office for Information Security (BSI) is warning about four separate vulnerabilities in the Bouncy Castle cryptography library. They affect encryption and digital signatures. In the worst case, attackers could decrypt protected data or pass off forged certificates as valid. If you use Bouncy Castle, apply the available updates promptly.
The scope comes down to how widely the library is used. Bouncy Castle is open source and supports several programming languages, mainly Java and C#/.NET. It provides implementations for encryption algorithms, hash functions, digital signatures, and public-key infrastructures. That is exactly why unpatched flaws weigh so heavily here.
The BSI lists four vulnerabilities:
- CVE-2025-14813 (CVSS 9.3)
- CVE-2026-3505 (CVSS 8.7)
- CVE-2026-5588 (CVSS 6.3)
- CVE-2026-0636 (CVSS 5.5)
Weak encryption is the biggest risk
The most dangerous is CVE-2025-14813. It was discovered last year but, like the others, only published on 15 April 2026. Affected products are still being added to the list. The flaw sits in the bcprov component responsible for GOST-CTR encryption. Because the implementation used a single byte as its counter, the mode could not encrypt or decrypt more than 255 blocks. That falls below the specification, which calls for a counter covering a range of n/2 bits. The result: the keystream repeats after just 256 blocks. Attackers could correlate ciphertext blocks that share an identical keystream, draw conclusions about the plaintext, and in part even reconstruct it. All versions before 1.84 are affected.
Denial of service via crafted PGP messages
CVE-2026-3505 describes uncontrolled resource consumption in the bcpg component. The library does not check how large the data block of an incoming PGP-AEAD packet may be before it allocates memory. An attacker can craft a PGP message with an AEAD-encrypted payload that declares an absurdly large block size. When Bouncy Castle tries to reserve that much memory, a denial of service can follow. The issue is fixed in the current Java releases.
The remaining two flaws are less critical but should be closed as well. CVE-2026-5588 concerns a faulty signature check in the bcpkix module. Under certain conditions, checks are not carried out correctly, so manipulated or forged signatures and certificates wrongly pass as valid. CVE-2026-0636 is an LDAP injection in the bcprov module: special characters are not sanitized properly, which could let attackers inject their own LDAP statements and expose confidential information.
Fixes are available for all four vulnerabilities. The pragmatic route is an update to Bouncy Castle 1.84 or newer. After that, check that your applications actually pull in the patched version.