{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5598", "assignerOrgId": "91579145-5d7b-4cc5-b925-a0262ff19630", "state": "PUBLISHED", "assignerShortName": "bcorg", "dateReserved": "2026-04-05T07:25:44.930Z", "datePublished": "2026-04-15T09:05:56.277Z", "dateUpdated": "2026-04-15T13:11:53.444Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "91579145-5d7b-4cc5-b925-a0262ff19630", "shortName": "bcorg", "dateUpdated": "2026-04-15T09:05:56.277Z"}, "title": "Non-constant time comparisons risk private key leakage in FrodoKEM.", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-385", "description": "CWE-385 Covert timing channel", "type": "CWE"}]}], "affected": [{"vendor": "Legion of the Bouncy Castle Inc.", "product": "BC-JAVA", "platforms": ["all"], "collectionURL": "https://www.bouncycastle.org/download/bouncy-castle-java/", "packageName": "core", "repo": "https://github.com/bcgit/bc-java", "modules": ["core"], "programFiles": ["FrodoEngine.java"], "versions": [{"status": "affected", "version": "2.17.3", "lessThan": "1.84", "versionType": "maven"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Covert timing channel vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA core on all (core modules).\n Non-constant time comparisons risk private key leakage in FrodoKEM.\n\nThis issue affects BC-JAVA: from 2.17.3 before 1.84.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Covert timing channel vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA core on all (core modules).<div><br><p> Non-constant time comparisons risk private key leakage in FrodoKEM.</p><p>This issue affects BC-JAVA: from 2.17.3 before 1.84.</p></div>"}]}], "references": [{"url": "https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902026%E2%80%905998"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "CRITICAL", "baseScore": 10, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-15T13:11:48.318645Z", "id": "CVE-2026-5598", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T13:11:53.444Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-5598", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-15T13:11:48.318645Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T13:11:50.359Z"}}], "cna": {"title": "Non-constant time comparisons risk private key leakage in FrodoKEM.", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 10, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/bcgit/bc-java", "vendor": "Legion of the Bouncy Castle Inc.", "modules": ["core"], "product": "BC-JAVA", "versions": [{"status": "affected", "version": "2.17.3", "lessThan": "1.84", "versionType": "maven"}], "platforms": ["all"], "packageName": "core", "programFiles": ["FrodoEngine.java"], "collectionURL": "https://www.bouncycastle.org/download/bouncy-castle-java/", "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902026%E2%80%905998"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "Covert timing channel vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA core on all (core modules).\n Non-constant time comparisons risk private key leakage in FrodoKEM.\n\nThis issue affects BC-JAVA: from 2.17.3 before 1.84.", "supportingMedia": [{"type": "text/html", "value": "Covert timing channel vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA core on all (core modules).<div><br><p> Non-constant time comparisons risk private key leakage in FrodoKEM.</p><p>This issue affects BC-JAVA: from 2.17.3 before 1.84.</p></div>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-385", "description": "CWE-385 Covert timing channel"}]}], "providerMetadata": {"orgId": "91579145-5d7b-4cc5-b925-a0262ff19630", "shortName": "bcorg", "dateUpdated": "2026-04-15T09:05:56.277Z"}}}, "cveMetadata": {"cveId": "CVE-2026-5598", "state": "PUBLISHED", "dateUpdated": "2026-04-15T13:11:53.444Z", "dateReserved": "2026-04-05T07:25:44.930Z", "assignerOrgId": "91579145-5d7b-4cc5-b925-a0262ff19630", "datePublished": "2026-04-15T09:05:56.277Z", "assignerShortName": "bcorg"}, "dataVersion": "5.2"}

{}

{}

{"analysis": {"en": {"generated_at": "2026-04-15T10:21:05.660438+00:00", "value": {"mitigation_remediation": ["Upgrade BC\u2011JAVA to any release version 1.84 or later, which replaces the non\u2011constant time comparison with a constant\u2011time implementation.", "If an upgrade cannot be performed immediately, disable all usage of FrodoKEM constructs and substitute them with a different, vetted key encapsulation scheme until the patch is applied.", "Deploy cryptographic operations within a hardened, isolated environment (e.g., hardware security module or trusted execution environment) that mitigates timing side\u2011channel leakage until a fixed release is available."], "summary": {"action": "Immediate Patch", "impact": "Private key leakage via timing side\u2011channel"}, "threat_synthesis": {"affected_systems": "The vulnerability impacts all BC\u2011JAVA core modules from version 2.17.3 up to, but not including, version 1.84. Users running these earlier releases are susceptible.", "description_and_impact": "Covert timing\u2011channel vulnerability in Legion of the Bouncy Castle Inc. BC\u2011JAVA core modules arises from non\u2011constant time comparisons performed during FrodoKEM operations. The flaw, categorized as CWE\u2011385, allows an adversary to extract private key material by measuring execution timings, thereby breaking the confidentiality of encrypted communications. The issue is confined to the core implementation of the FrodoKEM key\u2011encapsulation mechanism and does not affect other parts of the library.", "risk_and_exploitability": "The CVSS score of 10 indicates a critical weakness. Although EPSS data is not available and the issue is not listed in the CISA KEV catalog, the nature of the flaw suggests that an attacker who can conduct precise timing measurements of the comparison routine could recover private keys. The attack vector is likely a side\u2011channel attack that requires the attacker to trigger or observe FrodoKEM comparisons, which may be feasible in environments where the application is exposed to an active network or on a shared hosting/platform that permits timing analysis."}}}}, "created": "2026-04-15T13:49:14.858865+00:00", "updated": "2026-04-15T13:49:14.858875+00:00", "vendors": []}