CVE-2025-9341: 
Java vulnerability analysis and mitigation

Uncontrolled Resource Consumption vulnerability (CVE-2025-9341) affects Legion of the Bouncy Castle Inc.'s Bouncy Castle for Java FIPS bc-fips and Bouncy Castle for Java LTS bcprov-lts8on modules. The vulnerability was discovered on August 22, 2025, and affects program files org/bouncycastle/crypto/fips/AESNativeCBC.Java and org/bouncycastle/crypto/engines/AESNativeCBC.Java. The affected versions include Bouncy Castle for Java FIPS from BC-FJA 2.1.0 through 2.1.0 and Bouncy Castle for Java LTS from BC-LTS 2.73.0 through 2.73.7 (NVD).

The vulnerability is classified as an Uncontrolled Resource Consumption issue (CWE-400) that allows Excessive Allocation. According to the CVSS 4.0 scoring, it has received a Medium severity rating of 5.9. The attack vector is Local (AV:L), with Low attack complexity (AC:L), requiring Present attack requirements (AT:P), No privileges (PR:N), and No user interaction (UI:N). The vulnerability primarily impacts system availability (VA:H) with no direct effects on confidentiality or integrity (NVD).

The primary impact of this vulnerability is on system availability through excessive resource allocation. The High availability impact rating suggests that successful exploitation could result in significant resource consumption, potentially leading to denial of service conditions (NVD).

Organizations using affected versions of Bouncy Castle should update to the latest patched versions. The vulnerability affects specific versions of both Bouncy Castle for Java FIPS (BC-FJA 2.1.0) and Bouncy Castle for Java LTS (BC-LTS 2.73.0 through 2.73.7) (NVD).