{ "threat_severity" : "Important", "public_date" : "2026-04-15T09:05:56Z", "bugzilla" : { "description" : "bouncycastle: BC-JAVA: private key leakage via non-constant time comparisons", "id" : "2458635", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2458635" }, "cvss3" : { "cvss3_base_score" : "7.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "status" : "draft" }, "cwe" : "CWE-385", "details" : [ "Covert timing channel vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA core on all (core modules). This vulnerability is associated with program files FrodoEngine.Java.\nThis issue affects BC-JAVA: from 1.71 before 1.84.", "A flaw was found in Legion of the Bouncy Castle Inc. BC-JAVA core. A covert timing channel vulnerability, caused by non-constant time comparisons, risks the leakage of private keys in the FrodoKEM implementation. An unauthenticated, remote attacker can potentially exploit this timing discrepancy to gain unauthorized access to sensitive cryptographic information." ], "statement" : "To exploit this issue, an unauthenticated attacker needs to send highly specific, malformed ciphertexts to the target server. These payloads are used to interact with the private key of the server in a way that the vulnerable, non-constant time code paths are triggered during the verification step. An attack typically requires sending a large volume of these requests to perform statistical analysis on the resulting timing variations, increasing its complexity.\nThe primary security impact of this vulnerability is the potential leakage of private keys associated with the FrodoKEM implementation. This can compromise encrypted communications or authentication mechanisms.", "package_state" : [ { "product_name" : "Cryostat 4", "fix_state" : "Not affected", "package_name" : "bcprov-jdk18on", "cpe" : "cpe:/a:redhat:cryostat:4" }, { "product_name" : "OpenShift Developer Tools and Services", "fix_state" : "Not affected", "package_name" : "jenkins", "cpe" : "cpe:/a:redhat:ocp_tools" }, { "product_name" : "OpenShift Developer Tools and Services", "fix_state" : "Not affected", "package_name" : "jenkins-2-plugins", "cpe" : "cpe:/a:redhat:ocp_tools" }, { "product_name" : "OpenShift Developer Tools and Services", "fix_state" : "Not affected", "package_name" : "ocp-tools-4/jenkins-rhel8", "cpe" : "cpe:/a:redhat:ocp_tools" }, { "product_name" : "OpenShift Developer Tools and Services", "fix_state" : "Not affected", "package_name" : "ocp-tools-4/jenkins-rhel9", "cpe" : "cpe:/a:redhat:ocp_tools" }, { "product_name" : "Red Hat AMQ Broker 7", "fix_state" : "Not affected", "package_name" : "bcprov-jdk15on", "cpe" : "cpe:/a:redhat:amq_broker:7" }, { "product_name" : "Red Hat AMQ Broker 7", "fix_state" : "Not affected", "package_name" : "bcprov-jdk18on", "cpe" : "cpe:/a:redhat:amq_broker:7" }, { "product_name" : "Red Hat AMQ Clients", "fix_state" : "Not affected", "package_name" : "bcprov-jdk15on", "cpe" : "cpe:/a:redhat:amq_clients:2023" }, { "product_name" : "Red Hat AMQ Clients", "fix_state" : "Not affected", "package_name" : "bcprov-jdk18on", "cpe" : "cpe:/a:redhat:amq_clients:2023" }, { "product_name" : "Red Hat build of Apache Camel 4 for Quarkus 3", "fix_state" : "Not affected", "package_name" : "bcprov-jdk18on", "cpe" : "cpe:/a:redhat:camel_quarkus:3" }, { "product_name" : "Red Hat build of Apache Camel for Spring Boot 4", "fix_state" : "Not affected", "package_name" : "bcprov-debug-jdk15on", "cpe" : "cpe:/a:redhat:camel_spring_boot:4" }, { "product_name" : "Red Hat build of Apache Camel for Spring Boot 4", "fix_state" : "Not affected", "package_name" : "bcprov-jdk15on", "cpe" : "cpe:/a:redhat:camel_spring_boot:4" }, { "product_name" : "Red Hat build of Apache Camel for Spring Boot 4", "fix_state" : "Not affected", "package_name" : "bcprov-jdk18on", "cpe" : "cpe:/a:redhat:camel_spring_boot:4" }, { "product_name" : "Red Hat build of Apache Camel for Spring Boot 4", "fix_state" : "Not affected", "package_name" : "bcprov-lts8on", "cpe" : "cpe:/a:redhat:camel_spring_boot:4" }, { "product_name" : "Red Hat build of Apicurio Registry 3", "fix_state" : "Not affected", "package_name" : "bcprov-jdk18on", "cpe" : "cpe:/a:redhat:apicurio_registry:3" }, { "product_name" : "Red Hat build of Apicurio Registry 3", "fix_state" : "Not affected", "package_name" : "bcprov-lts8on", "cpe" : "cpe:/a:redhat:apicurio_registry:3" }, { "product_name" : "Red Hat build of Debezium 2", "fix_state" : "Not affected", "package_name" : "bcprov-ext-jdk15on", "cpe" : "cpe:/a:redhat:debezium:2" }, { "product_name" : "Red Hat build of Debezium 2", "fix_state" : "Not affected", "package_name" : "bcprov-jdk15on", "cpe" : "cpe:/a:redhat:debezium:2" }, { "product_name" : "Red Hat build of Debezium 3", "fix_state" : "Not affected", "package_name" : "bcprov-ext-jdk15on", "cpe" : "cpe:/a:redhat:debezium:3" }, { "product_name" : "Red Hat build of Debezium 3", "fix_state" : "Not affected", "package_name" : "bcprov-jdk18on", "cpe" : "cpe:/a:redhat:debezium:3" }, { "product_name" : "Red Hat build of Debezium 3", "fix_state" : "Not affected", "package_name" : "bcprov-lts8on", "cpe" : "cpe:/a:redhat:debezium:3" }, { "product_name" : "Red Hat Build of Keycloak", "fix_state" : "Not affected", "package_name" : "bcprov-jdk18on", "cpe" : "cpe:/a:redhat:build_keycloak:" }, { "product_name" : "Red Hat build of Quarkus", "fix_state" : "Not affected", "package_name" : "bcprov-jdk18on", "cpe" : "cpe:/a:redhat:quarkus:3" }, { "product_name" : "Red Hat Data Grid 8", "fix_state" : "Affected", "package_name" : "bcprov-jdk15", "cpe" : "cpe:/a:redhat:jboss_data_grid:8" }, { "product_name" : "Red Hat Data Grid 8", "fix_state" : "Not affected", "package_name" : "bcprov-jdk15on", "cpe" : "cpe:/a:redhat:jboss_data_grid:8" }, { "product_name" : "Red Hat Data Grid 8", "fix_state" : "Not affected", "package_name" : "bcprov-jdk15to18", "cpe" : "cpe:/a:redhat:jboss_data_grid:8" }, { "product_name" : "Red Hat Data Grid 8", "fix_state" : "Not affected", "package_name" : "bcprov-jdk18on", "cpe" : "cpe:/a:redhat:jboss_data_grid:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "pki-core:10.6/resteasy", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "pki-deps:10.6/resteasy", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "jmc", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "resteasy", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Fuse 7", "fix_state" : "Not affected", "package_name" : "bcprov-debug-jdk18on", "cpe" : "cpe:/a:redhat:jboss_fuse:7" }, { "product_name" : "Red Hat Fuse 7", "fix_state" : "Not affected", "package_name" : "bcprov-ext-jdk15on", "cpe" : "cpe:/a:redhat:jboss_fuse:7" }, { "product_name" : "Red Hat Fuse 7", "fix_state" : "Not affected", "package_name" : "bcprov-ext-jdk18on", "cpe" : "cpe:/a:redhat:jboss_fuse:7" }, { "product_name" : "Red Hat Fuse 7", "fix_state" : "Affected", "package_name" : "bcprov-jdk15", "cpe" : "cpe:/a:redhat:jboss_fuse:7" }, { "product_name" : "Red Hat Fuse 7", "fix_state" : "Not affected", "package_name" : "bcprov-jdk15on", "cpe" : "cpe:/a:redhat:jboss_fuse:7" }, { "product_name" : "Red Hat Fuse 7", "fix_state" : "Not affected", "package_name" : "bcprov-jdk15to18", "cpe" : "cpe:/a:redhat:jboss_fuse:7" }, { "product_name" : "Red Hat Fuse 7", "fix_state" : "Not affected", "package_name" : "bcprov-jdk16", "cpe" : "cpe:/a:redhat:jboss_fuse:7" }, { "product_name" : "Red Hat Fuse 7", "fix_state" : "Not affected", "package_name" : "bcprov-jdk18on", "cpe" : "cpe:/a:redhat:jboss_fuse:7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7", "fix_state" : "Affected", "package_name" : "bcprov-jdk12", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7", "fix_state" : "Affected", "package_name" : "bcprov-jdk15", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7", "fix_state" : "Not affected", "package_name" : "bcprov-jdk15on", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7", "fix_state" : "Not affected", "package_name" : "bcprov-jdk18on", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8", "fix_state" : "Not affected", "package_name" : "bcprov-ext-jdk15on", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8", "fix_state" : "Not affected", "package_name" : "bcprov-ext-jdk18on", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8", "fix_state" : "Affected", "package_name" : "bcprov-jdk12", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8", "fix_state" : "Not affected", "package_name" : "bcprov-jdk15", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8", "fix_state" : "Not affected", "package_name" : "bcprov-jdk15on", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8", "fix_state" : "Not affected", "package_name" : "bcprov-jdk15to18", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8", "fix_state" : "Not affected", "package_name" : "bcprov-jdk18on", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack", "fix_state" : "Not affected", "package_name" : "bcprov-ext-jdk15on", "cpe" : "cpe:/a:redhat:jbosseapxp" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack", "fix_state" : "Not affected", "package_name" : "bcprov-ext-jdk18on", "cpe" : "cpe:/a:redhat:jbosseapxp" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack", "fix_state" : "Not affected", "package_name" : "bcprov-jdk12", "cpe" : "cpe:/a:redhat:jbosseapxp" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack", "fix_state" : "Not affected", "package_name" : "bcprov-jdk15", "cpe" : "cpe:/a:redhat:jbosseapxp" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack", "fix_state" : "Not affected", "package_name" : "bcprov-jdk15on", "cpe" : "cpe:/a:redhat:jbosseapxp" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack", "fix_state" : "Not affected", "package_name" : "bcprov-jdk15to18", "cpe" : "cpe:/a:redhat:jbosseapxp" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack", "fix_state" : "Not affected", "package_name" : "bcprov-jdk18on", "cpe" : "cpe:/a:redhat:jbosseapxp" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack", "fix_state" : "Not affected", "package_name" : "bcprov-jdk18on-1.83.0.redhat-00001.jar", "cpe" : "cpe:/a:redhat:jbosseapxp" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Not affected", "package_name" : "rhoai/odh-modelmesh-rhel8", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Not affected", "package_name" : "rhoai/odh-modelmesh-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift Dev Spaces", "fix_state" : "Not affected", "package_name" : "devspaces/openvsx-rhel9", "cpe" : "cpe:/a:redhat:openshift_devspaces:3" }, { "product_name" : "Red Hat OpenShift Dev Spaces", "fix_state" : "Not affected", "package_name" : "devspaces/pluginregistry-rhel9", "cpe" : "cpe:/a:redhat:openshift_devspaces:3" }, { "product_name" : "Red Hat Process Automation 7", "fix_state" : "Not affected", "package_name" : "bcprov-jdk15on", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7" }, { "product_name" : "Red Hat Process Automation 7", "fix_state" : "Not affected", "package_name" : "bcprov-jdk15to18", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7" }, { "product_name" : "Red Hat Satellite 6", "fix_state" : "Not affected", "package_name" : "candlepin", "cpe" : "cpe:/a:redhat:satellite:6" }, { "product_name" : "Red Hat Satellite 6", "fix_state" : "Not affected", "package_name" : "satellite:el8/candlepin", "cpe" : "cpe:/a:redhat:satellite:6" }, { "product_name" : "Red Hat Single Sign-On 7", "fix_state" : "Not affected", "package_name" : "bcprov-jdk15on", "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7" }, { "product_name" : "streams for Apache Kafka 2", "fix_state" : "Not affected", "package_name" : "bcprov-jdk15on", "cpe" : "cpe:/a:redhat:amq_streams:2" }, { "product_name" : "streams for Apache Kafka 2", "fix_state" : "Not affected", "package_name" : "bcprov-jdk18on", "cpe" : "cpe:/a:redhat:amq_streams:2" }, { "product_name" : "streams for Apache Kafka 3", "fix_state" : "Not affected", "package_name" : "bcprov-jdk15on", "cpe" : "cpe:/a:redhat:amq_streams:3" }, { "product_name" : "streams for Apache Kafka 3", "fix_state" : "Not affected", "package_name" : "bcprov-jdk18on", "cpe" : "cpe:/a:redhat:amq_streams:3" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-5598\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-5598\nhttps://github.com/bcgit/bc-java/wiki/CVE%E2%80%902026%E2%80%905998" ], "name" : "CVE-2026-5598", "mitigation" : { "value" : "To mitigate this vulnerability, implement aggressive rate limiting and anomaly detection, specifically looking for unusual, high-frequency cryptographic handshake failures or anomalous traffic patterns targeting endpoints that handle key exchanges in the network logs.", "lang" : "en:us" }, "csaw" : false }