CVE-2025-8916: 
Java vulnerability analysis and mitigation

A resource allocation vulnerability (CVE-2025-8916) was discovered in Legion of the Bouncy Castle Inc.'s Bouncy Castle for Java affecting bcpkix, bcprov, and bcpkix-fips modules. The vulnerability was disclosed on August 13, 2025, and affects multiple versions: BC 1.44 through 1.78, BCPKIX FIPS 1.0.0 through 1.0.7, and BCPKIX FIPS 2.0.0 through 2.0.7 (NVD, BC Wiki).

The vulnerability is classified as an Allocation of Resources Without Limits or Throttling (CWE-770). The issue specifically involves the PKIXCertPathReviewer class not having an established limit on the size of name constraints objects. The vulnerability has received a CVSS 4.0 Base Score of 6.3 (MEDIUM) with the vector string CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/S:P/R:U/RE:M/U:Amber (NVD).

The vulnerability could be exploited as a source of a Denial of Service (DOS) attack when processing large name constraint structures in PKIXCertPathReviewer. The impact is particularly relevant when the application processes certificate paths of unknown origin without proper validation (BC Wiki).

The vulnerability has been fixed in BC Java 1.79, BCPKIX FIPS 1.0.8, and BCPKIX FIPS 2.0.8. The fix involves limiting the size of ASN.1 objects that can be loaded from untrusted sources, which automatically caps the maximum size of a Name Constraints structure that the PKIXCertPathReviewer can consume (BC Wiki).