CVE‐2025‐8916

Possible DOS in processing large name constraint structures in PKIXCertPathReveiwer

Issue affecting: BC Java 1.44 to BC Java 1.78, BCPKIX FIPS 1.0.0 to BCPKIX FIPS 1.0.7, BCPKIX FIPS 2.0.0 to BCPKIX FIPS 2.0.7

Fixed versions: BC Java 1.79, BCPKIX FIPS 1.0.8, BCPKIX FIPS 2.0.8

Platform affected: All JVMs.

PKIXCertPathReviewer did not have an established limit on the size of the name constraints object. Where the class was in use this lack of a limit could be used to provide the source of a DOS attack.

For an attack to take place the PKIXCertPathReviewer class must be in use by the application under attack and the class must be consuming certificate paths of unknown origin without any form of other validation.

Limiting the size of ASN.1 objects that can be loaded from "the wild" will mitigate the risk of an exploit by automatically putting a cap on the maximum size of a Name Constraints structure that the PKIXCertPathReviewer has to consume.

Fix Commits

https://github.com/bcgit/bc-java/commit/310b30a4fbf36d13f6cc201ffa7771715641e67e

https://github.com/bcgit/bc-java/commit/ff444a479942d88de64004dc82c3ee32a9e9075a

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

CVE‐2025‐8916

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Clone this wiki locally