Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-5598

Summary
Assigner-bcorg
Assigner Org ID-91579145-5d7b-4cc5-b925-a0262ff19630
Published At-15 Apr, 2026 | 09:05
Updated At-18 May, 2026 | 23:17
Rejected At-
Credits

Non-constant time comparisons risk private key leakage in FrodoKEM.

Covert timing channel vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA core on all (core modules). This vulnerability is associated with program files FrodoEngine.Java. This issue affects BC-JAVA: from 1.71 before 1.80.2, from 1.81 before 1.80.1, from 1.82 before 1.84.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:bcorg
Assigner Org ID:91579145-5d7b-4cc5-b925-a0262ff19630
Published At:15 Apr, 2026 | 09:05
Updated At:18 May, 2026 | 23:17
Rejected At:
▼CVE Numbering Authority (CNA)
Non-constant time comparisons risk private key leakage in FrodoKEM.

Covert timing channel vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA core on all (core modules). This vulnerability is associated with program files FrodoEngine.Java. This issue affects BC-JAVA: from 1.71 before 1.80.2, from 1.81 before 1.80.1, from 1.82 before 1.84.

Affected Products
Vendor
Legion of the Bouncy Castle Inc.
Product
BC-JAVA
Collection URL
https://www.bouncycastle.org/download/bouncy-castle-java/
Package Name
core
Repo
https://github.com/bcgit/bc-java
Modules
  • core
Program Files
  • FrodoEngine.java
Platforms
  • all
Default Status
unaffected
Versions
Affected
  • From 1.71 before 1.80.2 (maven)
  • From 1.81 before 1.80.1 (maven)
  • From 1.82 before 1.84 (maven)
Problem Types
TypeCWE IDDescription
CWECWE-385CWE-385 Covert timing channel
Type: CWE
CWE ID: CWE-385
Description: CWE-385 Covert timing channel
Metrics
VersionBase scoreBase severityVector
4.08.9HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:U/S:P/AU:Y/U:Red
Version: 4.0
Base score: 8.9
Base severity: HIGH
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:U/S:P/AU:Y/U:Red
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
finder
Cristina Dueñas Navarro (cristina.duenas@jtsec.es)
finder
Sunwoo Lee and Seunghyun Yoon, Korea Institute of Energy Technology (KENTECH)
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902026%E2%80%905598
vendor-advisory
https://github.com/bcgit/bc-java/commit/94abbd56413dfdac651fd878bc60253871ef5e87
patch
https://github.com/bcgit/bc-java/commit/8692e6b2b191fc4aafa32545c7a78bdb9bf110c5
patch
Hyperlink: https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902026%E2%80%905598
Resource:
vendor-advisory
Hyperlink: https://github.com/bcgit/bc-java/commit/94abbd56413dfdac651fd878bc60253871ef5e87
Resource:
patch
Hyperlink: https://github.com/bcgit/bc-java/commit/8692e6b2b191fc4aafa32545c7a78bdb9bf110c5
Resource:
patch
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:91579145-5d7b-4cc5-b925-a0262ff19630
Published At:15 Apr, 2026 | 10:16
Updated At:19 May, 2026 | 00:16

Covert timing channel vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA core on all (core modules). This vulnerability is associated with program files FrodoEngine.Java. This issue affects BC-JAVA: from 1.71 before 1.80.2, from 1.81 before 1.80.1, from 1.82 before 1.84.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.08.9HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:X/V:X/RE:X/U:Red
Type: Secondary
Version: 4.0
Base score: 8.9
Base severity: HIGH
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:X/V:X/RE:X/U:Red
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-385Secondary91579145-5d7b-4cc5-b925-a0262ff19630
CWE ID: CWE-385
Type: Secondary
Source: 91579145-5d7b-4cc5-b925-a0262ff19630
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/bcgit/bc-java/commit/8692e6b2b191fc4aafa32545c7a78bdb9bf110c591579145-5d7b-4cc5-b925-a0262ff19630
N/A
https://github.com/bcgit/bc-java/commit/94abbd56413dfdac651fd878bc60253871ef5e8791579145-5d7b-4cc5-b925-a0262ff19630
N/A
https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902026%E2%80%90559891579145-5d7b-4cc5-b925-a0262ff19630
N/A
Hyperlink: https://github.com/bcgit/bc-java/commit/8692e6b2b191fc4aafa32545c7a78bdb9bf110c5
Source: 91579145-5d7b-4cc5-b925-a0262ff19630
Resource: N/A
Hyperlink: https://github.com/bcgit/bc-java/commit/94abbd56413dfdac651fd878bc60253871ef5e87
Source: 91579145-5d7b-4cc5-b925-a0262ff19630
Resource: N/A
Hyperlink: https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902026%E2%80%905598
Source: 91579145-5d7b-4cc5-b925-a0262ff19630
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

0Records found
Details not found