CVE-2025-9092: 
Java vulnerability analysis and mitigation

CVE-2025-9092 is an Uncontrolled Resource Consumption vulnerability discovered in Legion of the Bouncy Castle Inc. Bouncy Castle for Java - BC-FJA 2.1.0 bc-fips (API modules). The vulnerability was disclosed on August 16, 2025, affecting the program files org.Bouncycastle.Crypto.Fips.NativeLoader in version 2.1.0 (NVD).

The vulnerability is classified as CWE-400 (Uncontrolled Resource Consumption) and received a CVSS 4.0 Base Score of LOW (1.0) with the vector string CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/R:U/RE:L/U:Green. In multi-JVM environments, BC-FJA 2.1.0 creates multiple library directories for .so files required for native support, even when these files could be shared, leading to potential resource exhaustion (BC-Java Wiki).

The vulnerability can lead to server fragility, particularly in cases where it's difficult to identify which library directories are in use. The subsequent strain on resources may result in service failure, especially in multi-JVM environments (BC-Java Wiki).

Two workarounds are available: 1) Strictly limit the number of JVMs providing services based on BC-FJA 2.1.0 to enable effective monitoring and cleanup on the affected server, or 2) Ensure the module is configured to write its native support files to a file system with sufficient capacity. A fixed version (BC-FJA 2.1.1) has been released that modifies the native loader to write files only once and reuse existing sets when they can be verified as identical (BC-Java Wiki).