#VU22272 Memory leak in The Bouncy Castle Crypto Package For Java

Published: 2019-10-24 | Updated: 2020-02-07

Vulnerability identifier: #VU22272

Vulnerability risk: Medium


CVE-ID: CVE-2019-17359


Exploitation vector: Network

Exploit availability:

Vulnerable software:
The Bouncy Castle Crypto Package For Java
Universal components / Libraries / Libraries used by multiple products

Vendor: Legion of the Bouncy Castle Inc.

The vulnerability allows a remote attacker to perform DoS attack on the target system.

The vulnerability exists due memory leak in the ASN.1 parser. A remote attacker can send a specially crafted ASN.1 data and cause an OutOfMemoryError and perform denial of service attack.

Install updates from vendor's website.

Vulnerable software versions

The Bouncy Castle Crypto Package For Java: 1.63

Fixed software versions


External links

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

Latest bulletins with this vulnerability