Search for vulnerabilities
Vulnerability details: VCID-444n-c8c9-u3ek
Vulnerability ID VCID-444n-c8c9-u3ek
Aliases CVE-2025-8916
GHSA-4cx2-fc23-5wg6
Summary Allocation of Resources Without Limits or Throttling vulnerability in Legion of the Bouncy Castle Inc. Bouncy Castle for Java bcpkix, bcprov, bcpkix-fips on All (API modules) allows Excessive Allocation. This vulnerability is associated with program files https://github.Com/bcgit/bc-java/blob/main/pkix/src/main/java/org/bouncycastle/pkix/jcajce/PKIXCertP... https://github.Com/bcgit/bc-java/blob/main/pkix/src/main/java/org/bouncycastle/pkix/jcajce/PKIXCertPathReviewer.java , https://github.Com/bcgit/bc-java/blob/main/prov/src/main/java/org/bouncycastle/x509/PKIXCertPathRevi... https://github.Com/bcgit/bc-java/blob/main/prov/src/main/java/org/bouncycastle/x509/PKIXCertPathReviewer.java . This issue affects Bouncy Castle for Java: from BC 1.44 through 1.78, from BCPKIX FIPS 1.0.0 through 1.0.7, from BCPKIX FIPS 2.0.0 through 2.0.7.
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-770 Allocation of Resources Without Limits or Throttling
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3 5.3 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-8916.json
epss 0.00042 https://api.first.org/data/v1/epss?cve=CVE-2025-8916
epss 0.00042 https://api.first.org/data/v1/epss?cve=CVE-2025-8916
epss 0.00042 https://api.first.org/data/v1/epss?cve=CVE-2025-8916
epss 0.00042 https://api.first.org/data/v1/epss?cve=CVE-2025-8916
epss 0.00042 https://api.first.org/data/v1/epss?cve=CVE-2025-8916
epss 0.00055 https://api.first.org/data/v1/epss?cve=CVE-2025-8916
epss 0.00055 https://api.first.org/data/v1/epss?cve=CVE-2025-8916
epss 0.00055 https://api.first.org/data/v1/epss?cve=CVE-2025-8916
epss 0.00055 https://api.first.org/data/v1/epss?cve=CVE-2025-8916
epss 0.0006 https://api.first.org/data/v1/epss?cve=CVE-2025-8916
epss 0.0006 https://api.first.org/data/v1/epss?cve=CVE-2025-8916
epss 0.0006 https://api.first.org/data/v1/epss?cve=CVE-2025-8916
epss 0.0006 https://api.first.org/data/v1/epss?cve=CVE-2025-8916
epss 0.0006 https://api.first.org/data/v1/epss?cve=CVE-2025-8916
epss 0.0006 https://api.first.org/data/v1/epss?cve=CVE-2025-8916
cvssv3.1 5.3 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-4cx2-fc23-5wg6
generic_textual MODERATE https://github.com/bcgit/bc-java
generic_textual MODERATE https://github.com/bcgit/bc-java/commit/310b30a4fbf36d13f6cc201ffa7771715641e67e
generic_textual MODERATE https://github.com/bcgit/bc-java/commit/ff444a479942d88de64004dc82c3ee32a9e9075a
cvssv4 6.3 https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902025%E2%80%908916
generic_textual MODERATE https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902025%E2%80%908916
ssvc Track https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902025%E2%80%908916
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2025-8916
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-8916.json
https://api.first.org/data/v1/epss?cve=CVE-2025-8916
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-8916
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/bcgit/bc-java
https://github.com/bcgit/bc-java/commit/310b30a4fbf36d13f6cc201ffa7771715641e67e
https://github.com/bcgit/bc-java/commit/ff444a479942d88de64004dc82c3ee32a9e9075a
https://nvd.nist.gov/vuln/detail/CVE-2025-8916
2388195 https://bugzilla.redhat.com/show_bug.cgi?id=2388195
CVE%E2%80%902025%E2%80%908916 https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902025%E2%80%908916
GHSA-4cx2-fc23-5wg6 https://github.com/advisories/GHSA-4cx2-fc23-5wg6
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-8916.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/S:P/R:U/RE:M/U:Amber Found at https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902025%E2%80%908916
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-08-13T13:13:37Z/ Found at https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902025%E2%80%908916
Exploit Prediction Scoring System (EPSS)
Percentile 0.11684
EPSS Score 0.00042
Published At Aug. 13, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-08-14T08:03:42.746318+00:00 SUSE Severity Score Importer Import https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml 37.0.0