CVE-2025-8916: 
Java vulnerability analysis and mitigation

Allocation of Resources Without Limits or Throttling vulnerability (CVE-2025-8916) was discovered in Legion of the Bouncy Castle Inc. Bouncy Castle for Java affecting bcpkix, bcprov, and bcpkix-fips modules. The vulnerability was disclosed on August 13, 2025, affecting Bouncy Castle for Java versions from BC 1.44 through 1.78, BCPKIX FIPS versions 1.0.0 through 1.0.7, and BCPKIX FIPS versions 2.0.0 through 2.0.7 (NVD).

The vulnerability exists in the PKIXCertPathReviewer class which did not implement limits on the size of name constraints objects. This implementation oversight could lead to excessive resource allocation when processing large name constraint structures. The vulnerability has been assigned a CVSS 4.0 Base Score of 6.3 (MEDIUM) with the vector string CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/S:P/R:U/RE:M/U:Amber (BC Wiki).

When exploited, this vulnerability could be used as a source of a Denial of Service (DOS) attack. The impact is specifically relevant when the PKIXCertPathReviewer class is processing certificate paths of unknown origin without proper validation (BC Wiki).

The vulnerability has been fixed in BC Java 1.79, BCPKIX FIPS 1.0.8, and BCPKIX FIPS 2.0.8. The fix involves limiting the size of ASN.1 objects that can be loaded from untrusted sources, which automatically caps the maximum size of a Name Constraints structure that the PKIXCertPathReviewer can consume (BC Wiki).