Covert timing channel vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA core on all (core modules). This vulnerability is associated with program files FrodoEngine.Java.
This issue only affects users of the FrodoKEM algorithm involved in the decryption of encapsulations.
This issue affects BC-JAVA: from 1.71 to 1.80.1, 1.81, 1.82 to 1.83.
Fixed versions: 1.80.2, 1.81.1, 1.84
| Score | Percentile |
|---|---|
| 0.51% | 39.50% |
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 8.9 | 4.0 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-p93r-85wp-75v3 ↗ |
| CVE | CVE-2026-5598 ↗ |
| CWE id | Name |
|---|---|
| CWE-385 | Covert Timing Channel |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| maven | org.bouncycastle:bcprov-jdk15to18 | >= 1.71, < 1.80.2 | 1.80.2 | — |
| maven | org.bouncycastle:bcprov-jdk14 | >= 1.81, < 1.81.1 | 1.81.1 | — |
| maven | org.bouncycastle:bcprov-jdk18on | >= 1.82, < 1.84 | 1.84 | — |