vulnerability
Red Hat JBoss EAP: CVE-2026-3505: Allocation of Resources Without Limits or Throttling
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 8 | (AV:N/AC:L/Au:N/C:N/I:N/A:C) | Apr 15, 2026 | May 19, 2026 | May 21, 2026 |
Severity
8
CVSS
(AV:N/AC:L/Au:N/C:N/I:N/A:C)
Published
Apr 15, 2026
Added
May 19, 2026
Modified
May 21, 2026
Description
Allocation of resources without limits or throttling, Uncontrolled Resource Consumption vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcpg on all (pg modules).
This vulnerability is associated with program files AEADEncDataPacket.Java, BcAEADUtil.Java, JceAEADUtil.Java, OperatorHelper.Java.
This issue affects BC-JAVA: from 1.74 before 1.80.2, from 1.81 before 1.81.1, from 1.82 before 1.84.. A flaw was found in Legion of the Bouncy Castle Inc. BC-JAVA bcpg. A specially crafted PGP AEAD (Authenticated Encryption with Associated Data) message with an unbounded chunk size can lead to an excessive consumption of memory. This issue allows an unauthenticated remote attacker to cause memory exhaustion in a JVM, resulting in a denial of service.
This vulnerability is associated with program files AEADEncDataPacket.Java, BcAEADUtil.Java, JceAEADUtil.Java, OperatorHelper.Java.
This issue affects BC-JAVA: from 1.74 before 1.80.2, from 1.81 before 1.81.1, from 1.82 before 1.84.. A flaw was found in Legion of the Bouncy Castle Inc. BC-JAVA bcpg. A specially crafted PGP AEAD (Authenticated Encryption with Associated Data) message with an unbounded chunk size can lead to an excessive consumption of memory. This issue allows an unauthenticated remote attacker to cause memory exhaustion in a JVM, resulting in a denial of service.
Solution
red-hat-jboss-eap-upgrade-latest
References
- CWE-770
- CWE-400
- CVE-2026-3505
- https://attackerkb.com/topics/CVE-2026-3505
- https://access.redhat.com/security/cve/CVE-2026-3505
- https://bugzilla.redhat.com/show_bug.cgi?id=2458638
- https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902026%E2%80%903505
- https://access.redhat.com/errata/RHSA-2026:18054
- https://access.redhat.com/errata/RHSA-2026:18055
- https://access.redhat.com/errata/RHSA-2026:18059
- https://euvd.enisa.europa.eu/vulnerability/EUVD-2026-22855
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.