CVE-2025-8916
Publication date 13 August 2025
Last updated 18 March 2026
Ubuntu priority
Description
Allocation of Resources Without Limits or Throttling vulnerability in Legion of the Bouncy Castle Inc. BC Java bcpkix on All (API modules), Legion of the Bouncy Castle Inc. BC Java bcprov on All (API modules), Legion of the Bouncy Castle Inc. BCPKIX FIPS bcpkix-fips on All (API modules) allows Excessive Allocation. This vulnerability is associated with program files https://github.Com/bcgit/bc-java/blob/main/pkix/src/main/java/org/bouncycastle/pkix/jcajce/PKIXCertPathReviewer.Java, https://github.Com/bcgit/bc-java/blob/main/prov/src/main/java/org/bouncycastle/x509/PKIXCertPathReviewer.Java. This issue affects BC Java: from 1.44 through 1.78; BC Java: from 1.44 through 1.78; BCPKIX FIPS: from 1.0.0 through 1.0.7, from 2.0.0 through 2.0.7.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| bouncycastle | 25.10 questing |
Not affected
|
| 24.04 LTS noble |
Fixed 1.77-1ubuntu0.1~esm1
|
|
| 22.04 LTS jammy | Ignored changes too intrusive | |
| 20.04 LTS focal | Ignored changes too intrusive | |
| 18.04 LTS bionic | Ignored changes too intrusive | |
| 16.04 LTS xenial | Ignored changes too intrusive |
Get expanded security coverage with Ubuntu Pro
Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.
Get Ubuntu Pro 30-day free trialNotes
hlibk
On jammy and below, the fix requires a previous refactor commit which contains many changes and could introduce regressions. Relevant commit: af130a29be3a1ecc7cf0e0f780fc7fc95795a9f1
References
Related Ubuntu Security Notices (USN)
- USN-8108-1
- Bouncy Castle vulnerabilities
- 18 March 2026