CVE-2025-9340

native encrypt/decrypt operations in JCE may corrupt data if same byte array used for input and output.

Description

Out-of-bounds Write vulnerability in Legion of the Bouncy Castle Inc. Bouncy Castle for Java bc-fips on All (API modules). This vulnerability is associated with program files org/bouncycastle/jcajce/provider/BaseCipher. This issue affects Bouncy Castle for Java: from BC-FJA 2.1.0 through 2.1.0.

Remediation

Workaround:

  • This can be coded around by avoiding operations in place when dealing with aes-native encryption/decryption.

Category

N/A
CVSS
Severity: Low
EPSS 0.02%
Affected: Legion of the Bouncy Castle Inc. Bouncy Castle for Java
Published at:
Updated at:

References

Link Tags
https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902025%E2%80%909340

Frequently Asked Questions

What is the severity of CVE-2025-9340?
CVE-2025-9340 has not yet been assigned a CVSS score.
How to fix CVE-2025-9340?
As a workaround for remediating CVE-2025-9340: This can be coded around by avoiding operations in place when dealing with aes-native encryption/decryption.
Is CVE-2025-9340 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2025-9340 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2025-9340?
CVE-2025-9340 affects Legion of the Bouncy Castle Inc. Bouncy Castle for Java.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.