CVE-2025-9341

Garbage collection can delay for AES CBC Native support, resulting in heap exhaustion

Description

Uncontrolled Resource Consumption vulnerability in Legion of the Bouncy Castle Inc. Bouncy Castle for Java FIPS bc-fips on All (API modules), Legion of the Bouncy Castle Inc. Bouncy Castle for Java LTS bcprov-lts8on on All (API modules) allows Excessive Allocation. This vulnerability is associated with program files org/bouncycastle/crypto/fips/AESNativeCBC.Java, org/bouncycastle/crypto/engines/AESNativeCBC.Java. This issue affects Bouncy Castle for Java FIPS: from BC-FJA 2.1.0 through 2.1.0; Bouncy Castle for Java LTS: from BC-LTS 2.73.0 through 2.73.7.

Remediation

Workaround:

  • A system that cannot be updated can be made safe by booting the module in java mode and disabling AES-NI support.

Category

5.9
CVSS
Severity: Medium
CVSS 4.0 •
EPSS 0.01%
Affected: Legion of the Bouncy Castle Inc. Bouncy Castle for Java FIPS
Affected: Legion of the Bouncy Castle Inc. Bouncy Castle for Java LTS
Published at:
Updated at:

References

Link Tags
https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902025%E2%80%909341

Frequently Asked Questions

What is the severity of CVE-2025-9341?
CVE-2025-9341 has been scored as a medium severity vulnerability.
How to fix CVE-2025-9341?
As a workaround for remediating CVE-2025-9341: A system that cannot be updated can be made safe by booting the module in java mode and disabling AES-NI support.
Is CVE-2025-9341 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2025-9341 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2025-9341?
CVE-2025-9341 affects Legion of the Bouncy Castle Inc. Bouncy Castle for Java FIPS, Legion of the Bouncy Castle Inc. Bouncy Castle for Java LTS.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.