CWE-385
AllowedCovert Timing Channel
Abstraction: Base · Status: Incomplete
Covert timing channels convey information by modulating some aspect of system behavior over time, so that the program receiving the information can observe system behavior and infer protected information.
76 vulnerabilities reference this CWE, most recent first.
GHSA-FMJV-Q9M9-J657
Vulnerability from github – Published: 2025-07-20 21:31 – Updated: 2025-07-20 21:31In Mbed TLS 3.6.1 through 3.6.3 before 3.6.4, a timing discrepancy in block cipher padding removal allows an attacker to recover the plaintext when PKCS#7 padding mode is used.
{
"affected": [],
"aliases": [
"CVE-2025-49087"
],
"database_specific": {
"cwe_ids": [
"CWE-385"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-20T19:15:24Z",
"severity": "MODERATE"
},
"details": "In Mbed TLS 3.6.1 through 3.6.3 before 3.6.4, a timing discrepancy in block cipher padding removal allows an attacker to recover the plaintext when PKCS#7 padding mode is used.",
"id": "GHSA-fmjv-q9m9-j657",
"modified": "2025-07-20T21:31:17Z",
"published": "2025-07-20T21:31:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49087"
},
{
"type": "WEB",
"url": "https://github.com/Mbed-TLS/mbedtls-docs/blob/main/security-advisories/mbedtls-security-advisory-2025-06-5.md"
},
{
"type": "WEB",
"url": "https://mbed-tls.readthedocs.io/en/latest/tech-updates/security-advisories"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-FXWP-FXMC-JH57
Vulnerability from github – Published: 2026-04-14 15:30 – Updated: 2026-04-16 15:31A side-channel vulnerability exists in the implementation of BIP-39 mnemonic processing, as observed in Trezor One v1.13.0 to v1.14.0, Trezor T v1.13.0 to v1.14.0, and Trezor Safe v1.13.0 to v1.14.0 hardware wallets. This originates from the BIP-39 standard guidelines, which induce non-constant time execution and specific branch patterns for word searching. An attacker with physical access during the initial setup phase can collect a single side-channel trace. By utilizing profiling-based Deep Learning Side-Channel Analysis (DL-SCA), the attacker can recover the mnemonic code and subsequently steal the assets. The issue was patched.
{
"affected": [],
"aliases": [
"CVE-2025-69893"
],
"database_specific": {
"cwe_ids": [
"CWE-385"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-14T15:16:25Z",
"severity": "MODERATE"
},
"details": "A side-channel vulnerability exists in the implementation of BIP-39 mnemonic processing, as observed in Trezor One v1.13.0 to v1.14.0, Trezor T v1.13.0 to v1.14.0, and Trezor Safe v1.13.0 to v1.14.0 hardware wallets. This originates from the BIP-39 standard guidelines, which induce non-constant time execution and specific branch patterns for word searching. An attacker with physical access during the initial setup phase can collect a single side-channel trace. By utilizing profiling-based Deep Learning Side-Channel Analysis (DL-SCA), the attacker can recover the mnemonic code and subsequently steal the assets. The issue was patched.",
"id": "GHSA-fxwp-fxmc-jh57",
"modified": "2026-04-16T15:31:30Z",
"published": "2026-04-14T15:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69893"
},
{
"type": "WEB",
"url": "https://trezor.io/vulnerability/fix-side-channel-in-bip-39-mnemonic-processing-when-unlocked"
},
{
"type": "WEB",
"url": "http://trezor.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-G854-MV2R-2R5H
Vulnerability from github – Published: 2023-07-24 18:30 – Updated: 2025-04-15 12:30A possible unauthorized memory access flaw was found in the Linux kernel's cpu_entry_area mapping of X86 CPU data to memory, where a user may guess the location of exception stacks or other important data. Based on the previous CVE-2023-0597, the 'Randomize per-cpu entry area' feature was implemented in /arch/x86/mm/cpu_entry_area.c, which works through the init_cea_offsets() function when KASLR is enabled. However, despite this feature, there is still a risk of per-cpu entry area leaks. This issue could allow a local user to gain access to some important data with memory in an expected location and potentially escalate their privileges on the system.
{
"affected": [],
"aliases": [
"CVE-2023-3640"
],
"database_specific": {
"cwe_ids": [
"CWE-203",
"CWE-385"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-07-24T16:15:13Z",
"severity": "HIGH"
},
"details": "A possible unauthorized memory access flaw was found in the Linux kernel\u0027s cpu_entry_area mapping of X86 CPU data to memory, where a user may guess the location of exception stacks or other important data. Based on the previous CVE-2023-0597, the \u0027Randomize per-cpu entry area\u0027 feature was implemented in /arch/x86/mm/cpu_entry_area.c, which works through the init_cea_offsets() function when KASLR is enabled. However, despite this feature, there is still a risk of per-cpu entry area leaks. This issue could allow a local user to gain access to some important data with memory in an expected location and potentially escalate their privileges on the system.",
"id": "GHSA-g854-mv2r-2r5h",
"modified": "2025-04-15T12:30:24Z",
"published": "2023-07-24T18:30:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3640"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2023:6583"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2023-3640"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2217523"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-H9V3-WVXH-4MWP
Vulnerability from github – Published: 2025-07-19 00:32 – Updated: 2025-12-03 15:30In wolfSSL release 5.8.2 blinding support is turned on by default for Curve25519 in applicable builds. The blinding configure option is only for the base C implementation of Curve25519. It is not needed, or available with; ARM assembly builds, Intel assembly builds, and the small Curve25519 feature. While the side-channel attack on extracting a private key would be very difficult to execute in practice, enabling blinding provides an additional layer of protection for devices that may be more susceptible to physical access or side-channel observation.
{
"affected": [],
"aliases": [
"CVE-2025-7396"
],
"database_specific": {
"cwe_ids": [
"CWE-385"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-18T23:15:23Z",
"severity": "MODERATE"
},
"details": "In wolfSSL release 5.8.2 blinding support is turned on by default for Curve25519 in applicable builds. The blinding configure option is only for the base C implementation of Curve25519. It is not needed, or available with; ARM assembly builds, Intel assembly builds, and the small Curve25519 feature. While the side-channel attack on extracting a private key would be very difficult to execute in practice, enabling blinding provides an additional layer of protection for devices that may be more susceptible to physical access or side-channel observation.",
"id": "GHSA-h9v3-wvxh-4mwp",
"modified": "2025-12-03T15:30:27Z",
"published": "2025-07-19T00:32:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7396"
},
{
"type": "WEB",
"url": "https://github.com/wolfSSL/wolfssl/blob/master/ChangeLog.md#wolfssl-release-582-july-17-2025"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:P/AC:H/AT:P/PR:L/UI:A/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-HGGM-JPG3-V476
Vulnerability from github – Published: 2020-10-27 20:33 – Updated: 2024-11-18 16:26RSA decryption was vulnerable to Bleichenbacher timing vulnerabilities, which would impact people using RSA decryption in online scenarios. This is fixed in cryptography 3.2.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "cryptography"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-25659"
],
"database_specific": {
"cwe_ids": [
"CWE-385"
],
"github_reviewed": true,
"github_reviewed_at": "2020-10-27T20:32:44Z",
"nvd_published_at": "2021-01-11T16:15:00Z",
"severity": "HIGH"
},
"details": "RSA decryption was vulnerable to Bleichenbacher timing vulnerabilities, which would impact people using RSA decryption in online scenarios. This is fixed in cryptography 3.2. ",
"id": "GHSA-hggm-jpg3-v476",
"modified": "2024-11-18T16:26:10Z",
"published": "2020-10-27T20:33:13Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/pyca/cryptography/security/advisories/GHSA-hggm-jpg3-v476"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25659"
},
{
"type": "WEB",
"url": "https://github.com/pyca/cryptography/pull/5507"
},
{
"type": "WEB",
"url": "https://github.com/pyca/cryptography/commit/58494b41d6ecb0f56b7c5f05d5f5e3ca0320d494"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-hggm-jpg3-v476"
},
{
"type": "PACKAGE",
"url": "https://github.com/pyca/cryptography"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/cryptography/PYSEC-2021-62.yaml"
},
{
"type": "WEB",
"url": "https://pypi.org/project/cryptography"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "RSA decryption vulnerable to Bleichenbacher timing vulnerability"
}
GHSA-HVH4-5QR6-3V7R
Vulnerability from github – Published: 2024-06-05 16:56 – Updated: 2024-06-05 18:36Impact
kyber512, kyber768, and kyber1024 on Mac OS (or when compiled with clang) only: An attacker able to submit many decapsulation requests against a single private key, and to gain timing information about the decapsulation, could recover the private key. Proof-of-concept exploit exists for a local attacker.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:P/RL:U/RC:C
Patches
No patch is currently available / pending upstream PQClean#556.
Workarounds
No workarounds have been reported. The 0.0.7 -> 0.0.7.1 upgrade, when available, should be a drop-in replacement.
References
https://pqshield.com/pqshield-plugs-timing-leaks-in-kyber-ml-kem-to-improve-pqc-implementation-maturity/
https://github.com/antoonpurnal/clangover
https://www.github.com/PQClean/PQClean/issues/556
https://www.github.com/pq-crystals/kyber/commit/9b8d30698a3e7449aeb34e62339d4176f11e3c6c
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "pypqc"
},
"ranges": [
{
"events": [
{
"introduced": "0.0.4"
},
{
"last_affected": "0.0.6.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-385",
"CWE-733"
],
"github_reviewed": true,
"github_reviewed_at": "2024-06-05T16:56:35Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Impact\n`kyber512`, `kyber768`, and `kyber1024` on Mac OS \\(or when compiled with clang\\) only: An attacker able to submit many decapsulation requests against a single private key, and to gain timing information about the decapsulation, could recover the private key. Proof-of-concept exploit exists for a local attacker.\n\nCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:P/RL:U/RC:C \n\n### Patches\nNo patch is currently available / pending upstream [PQClean#556](https://github.com/PQClean/PQClean/issues/556).\n\n### Workarounds\nNo workarounds have been reported. The 0.0.7 -\u003e 0.0.7.1 upgrade, when available, should be a drop-in replacement\u003c!--; it has no known breaking changes--\u003e.\n\n### References\n\nhttps://pqshield.com/pqshield-plugs-timing-leaks-in-kyber-ml-kem-to-improve-pqc-implementation-maturity/\n\nhttps://github.com/antoonpurnal/clangover\n\nhttps://www.github.com/PQClean/PQClean/issues/556\n\nhttps://www.github.com/pq-crystals/kyber/commit/9b8d30698a3e7449aeb34e62339d4176f11e3c6c",
"id": "GHSA-hvh4-5qr6-3v7r",
"modified": "2024-06-05T18:36:15Z",
"published": "2024-06-05T16:56:35Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/JamesTheAwesomeDude/pypqc/security/advisories/GHSA-hvh4-5qr6-3v7r"
},
{
"type": "WEB",
"url": "https://github.com/PQClean/PQClean/issues/556"
},
{
"type": "PACKAGE",
"url": "https://github.com/JamesTheAwesomeDude/pypqc"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:P/RL:U/RC:C",
"type": "CVSS_V3"
}
],
"summary": "Observable Timing Discrepancy in pypqc"
}
GHSA-J6VM-4R7G-X4GR
Vulnerability from github – Published: 2024-11-27 19:01 – Updated: 2024-11-27 19:01Impact
Timing attacks on Galois Field multiplications in this package. Successful exploitation would effectively allow a downgrade of the security guarantees of the XTS mode to the security guarantees of ECB mode, allowing block swapping, enabling identification of identical blocks, and rendering half of the XTS key obsolete. Timing attacks require specific conditions to be exploitable.
Patches
Patched in 2024.11.26
Workarounds
Upgrade the package
References
https://en.wikipedia.org/wiki/Timing_attack
{
"affected": [
{
"package": {
"ecosystem": "NuGet",
"name": "Devolutions.XTS.NET"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2024.11.26"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-11862"
],
"database_specific": {
"cwe_ids": [
"CWE-385"
],
"github_reviewed": true,
"github_reviewed_at": "2024-11-27T19:01:01Z",
"nvd_published_at": "2024-11-27T15:15:25Z",
"severity": "MODERATE"
},
"details": "### Impact\nTiming attacks on Galois Field multiplications in this package. Successful exploitation would effectively allow a downgrade of the security guarantees of the XTS mode to the security guarantees of ECB mode, allowing block swapping, enabling identification of identical blocks, and rendering half of the XTS key obsolete. Timing attacks require specific conditions to be exploitable.\n\n### Patches\nPatched in 2024.11.26\n\n### Workarounds\nUpgrade the package\n\n### References\nhttps://en.wikipedia.org/wiki/Timing_attack\n",
"id": "GHSA-j6vm-4r7g-x4gr",
"modified": "2024-11-27T19:01:01Z",
"published": "2024-11-27T19:01:01Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/Devolutions/XTS.NET/security/advisories/GHSA-j6vm-4r7g-x4gr"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-11862"
},
{
"type": "WEB",
"url": "https://github.com/Devolutions/XTS.NET/commit/fb349d5bfb587218e8603b38ea37f03f036b57fd"
},
{
"type": "PACKAGE",
"url": "https://github.com/Devolutions/XTS.NET"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Devolutions.XTS.NET Vulnerable to Timing Attack on GF Multiplications"
}
GHSA-JQR3-3JM7-R6CM
Vulnerability from github – Published: 2025-06-17 00:30 – Updated: 2025-06-26 18:31OpenSSL 3.0.0 through 3.3.2 on the PowerPC architecture is vulnerable to a Minerva attack, exploitable by measuring the time of signing of random messages using the EVP_DigestSign API, and then using the private key to extract the K value (nonce) from the signatures. Next, based on the bit size of the extracted nonce, one can compare the signing time of full-sized nonces to signatures that used smaller nonces, via statistical tests. There is a side-channel in the P-364 curve that allows private key extraction (also, there is a dependency between the bit size of K and the size of the side channel). NOTE: This CVE is disputed because the OpenSSL security policy explicitly notes that any side channels which require same physical system to be detected are outside of the threat model for the software. The timing signal is so small that it is infeasible to be detected without having the attacking process running on the same physical system.
{
"affected": [],
"aliases": [
"CVE-2025-27587"
],
"database_specific": {
"cwe_ids": [
"CWE-385"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-16T22:15:44Z",
"severity": "MODERATE"
},
"details": "OpenSSL 3.0.0 through 3.3.2 on the PowerPC architecture is vulnerable to a Minerva attack, exploitable by measuring the time of signing of random messages using the EVP_DigestSign API, and then using the private key to extract the K value (nonce) from the signatures. Next, based on the bit size of the extracted nonce, one can compare the signing time of full-sized nonces to signatures that used smaller nonces, via statistical tests. There is a side-channel in the P-364 curve that allows private key extraction (also, there is a dependency between the bit size of K and the size of the side channel). NOTE: This CVE is disputed because the OpenSSL security policy explicitly notes that any side channels which require same physical system to be detected are outside of the threat model for the software. The timing signal is so small that it is infeasible to be detected without having the attacking process running on the same physical system.",
"id": "GHSA-jqr3-3jm7-r6cm",
"modified": "2025-06-26T18:31:19Z",
"published": "2025-06-17T00:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27587"
},
{
"type": "WEB",
"url": "https://github.com/openssl/openssl/issues/24253"
},
{
"type": "WEB",
"url": "https://minerva.crocs.fi.muni.cz"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-M5PX-2Q2G-HXC2
Vulnerability from github – Published: 2022-05-13 01:14 – Updated: 2022-05-13 01:14It was found that the GnuTLS implementation of HMAC-SHA-384 was vulnerable to a Lucky thirteen style attack. Remote attackers could use this flaw to conduct distinguishing attacks and plain text recovery attacks via statistical analysis of timing data using crafted packets.
{
"affected": [],
"aliases": [
"CVE-2018-10845"
],
"database_specific": {
"cwe_ids": [
"CWE-327",
"CWE-385"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-08-22T13:29:00Z",
"severity": "MODERATE"
},
"details": "It was found that the GnuTLS implementation of HMAC-SHA-384 was vulnerable to a Lucky thirteen style attack. Remote attackers could use this flaw to conduct distinguishing attacks and plain text recovery attacks via statistical analysis of timing data using crafted packets.",
"id": "GHSA-m5px-2q2g-hxc2",
"modified": "2022-05-13T01:14:22Z",
"published": "2022-05-13T01:14:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-10845"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:3050"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:3505"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2018-10845"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1582572"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10845"
},
{
"type": "WEB",
"url": "https://eprint.iacr.org/2018/747"
},
{
"type": "WEB",
"url": "https://gitlab.com/gnutls/gnutls/merge_requests/657"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2018/10/msg00022.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ILMOWPKMTZAIMK5F32TUMO34XCABUCFJ"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WDYY3R4F5CUTFAMXH2C5NKYFVDEJLTT7"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ILMOWPKMTZAIMK5F32TUMO34XCABUCFJ"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WDYY3R4F5CUTFAMXH2C5NKYFVDEJLTT7"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3999-1"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/105138"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-P93R-85WP-75V3
Vulnerability from github – Published: 2026-04-17 18:31 – Updated: 2026-06-19 15:20Covert timing channel vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA core on all (core modules). This vulnerability is associated with program files FrodoEngine.Java.
This issue only affects users of the FrodoKEM algorithm involved in the decryption of encapsulations.
This issue affects BC-JAVA: from 1.71 to 1.80.1, 1.81, 1.82 to 1.83.
Fixed versions: 1.80.2, 1.81.1, 1.84
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.bouncycastle:bcprov-jdk15to18"
},
"ranges": [
{
"events": [
{
"introduced": "1.71"
},
{
"fixed": "1.80.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.bouncycastle:bcprov-jdk14"
},
"ranges": [
{
"events": [
{
"introduced": "1.81"
},
{
"fixed": "1.81.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.bouncycastle:bcprov-jdk18on"
},
"ranges": [
{
"events": [
{
"introduced": "1.82"
},
{
"fixed": "1.84"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-5598"
],
"database_specific": {
"cwe_ids": [
"CWE-385"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-25T23:25:24Z",
"nvd_published_at": "2026-04-15T10:16:49Z",
"severity": "HIGH"
},
"details": "Covert timing channel vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA core on all (core modules). This vulnerability is associated with program files FrodoEngine.Java.\n\nThis issue only affects users of the FrodoKEM algorithm involved in the decryption of encapsulations.\n\nThis issue affects BC-JAVA: from 1.71 to 1.80.1, 1.81, 1.82 to 1.83.\n\nFixed versions: 1.80.2, 1.81.1, 1.84",
"id": "GHSA-p93r-85wp-75v3",
"modified": "2026-06-19T15:20:41Z",
"published": "2026-04-17T18:31:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5598"
},
{
"type": "WEB",
"url": "https://github.com/bcgit/bc-java/commit/8692e6b2b191fc4aafa32545c7a78bdb9bf110c5"
},
{
"type": "WEB",
"url": "https://github.com/bcgit/bc-java/commit/94abbd56413dfdac651fd878bc60253871ef5e87"
},
{
"type": "PACKAGE",
"url": "https://github.com/bcgit/bc-java"
},
{
"type": "WEB",
"url": "https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902026%E2%80%905598"
},
{
"type": "WEB",
"url": "https://github.com/bcgit/bc-java/wiki/CVE-2026-5598"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:U/S:P/AU:Y/U:Red",
"type": "CVSS_V4"
}
],
"summary": "Bouncy Castle Has Covert Timing Channel Vulnerability"
}
Mitigation
Whenever possible, specify implementation strategies that do not introduce time variances in operations.
Mitigation
Often one can artificially manipulate the time which operations take or -- when operations occur -- can remove information from the attacker.
Mitigation
It is reasonable to add artificial or random delays so that the amount of CPU time consumed is independent of the action being taken by the application.
CAPEC-462: Cross-Domain Search Timing
An attacker initiates cross domain HTTP / GET requests and times the server responses. The timing of these responses may leak important information on what is happening on the server. Browser's same origin policy prevents the attacker from directly reading the server responses (in the absence of any other weaknesses), but does not prevent the attacker from timing the responses to requests that the attacker issued cross domain.