## Bouncy Castle BC-JAVA Hit by Covert Timing Channel Vulnerability; Private Key Leakage Risk in FrodoKEM
Security researchers have identified a covert timing channel vulnerability in the Legion of the Bouncy Castle Inc. BC-JAVA cryptographic library, potentially exposing systems to private key leakage when handling FrodoKEM key operations. Tracked as CVE-2026-5598 and classified under CWE-385, the flaw stems from non-constant time comparisons within the library's core modules—introducing a side-channel attack vector that could allow adversaries to infer sensitive cryptographic material by measuring execution timing variations.

The vulnerability affects BC-JAVA versions from 2.17.3 through any release prior to 1.84. FrodoKEM, a post-quantum key encapsulation mechanism designed to resist attacks from quantum computers, relies on constant-time operations to prevent information leakage. The affected library's failure to maintain consistent execution times during cryptographic operations creates a window for timing-based side-channel analysis. Organizations using Bouncy Castle's BC-JAVA implementation for FrodoKEM key encapsulation are exposed if they process sensitive key material in environments where execution timing can be observed or measured by malicious actors.

The flaw has been catalogued in the National Vulnerability Database (NVD) and affects all core modules of the BC-JAVA package, a widely deployed open-source cryptographic library used across enterprise Java applications, Android development, and embedded systems. Developers and system administrators are urged to verify their Bouncy Castle dependency versions and apply updates to BC-JAVA 1.84 or later once available. Given the library's ubiquity in security-sensitive applications, the potential attack surface is significant—particularly for systems where timing measurements could be obtained by network-based adversaries or compromised co-tenant environments.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: CVE-2026-5598, Bouncy Castle, timing channel, FrodoKEM, side-channel attack
- **Credibility**: unverified
- **Published**: 2026-05-04 09:54:11
- **ID**: 79234
- **URL**: https://whisperx.ai/en/intel/79234