CVE-2025-14813 PUBLISHED

GOSTCTR implementation unable to process more than 255 blocks correctly

Assigner: bcorg
Reserved: 17.12.2025 Published: 15.04.2026 Updated: 15.04.2026

Use of a Broken or Risky Cryptographic Algorithm vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcprov on all (core modules). This vulnerability is associated with program files G3413CTRBlockCipher.

GOSTCTR implementation unable to process more than 255 blocks correctly.

This issue affects BC-JAVA: from 1.59 before 1.84.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/RE:M/U:Red
CVSS Score: 9.3

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Local	Confidentiality	High	Confidentiality	High
Attack Complexity	Low	Integrity	High	Integrity	High
Attack Requirements	None	Availability	None	Availability	None
Privileges Required	None
User Interaction	None

CVSS 4.0

Product Status

Vendor	Legion of the Bouncy Castle Inc.
Product	BC-JAVA
Versions	Default: unaffected affected from 1.59 to 1.84 (excl.)

Credits

XlabAI Team of Tencent Xuanwu Lab finder
Atuin Automated Vulnerability Discovery Engine finder
Lili Tang, Guannan Wang, and Guancheng Li finder

References

Problem Types

CWE-327: Use of a Broken or Risky Cryptographic Algorithm CWE