CVE-2024-29857: Input Validation

Published May 14, 2024
·
Updated

An issue was discovered in ECCurve.java and ECCurve.cs in Bouncy Castle Java (BC Java) before 1.78, BC Java LTS before 2.73.6, BC-FJA before 1.0.2.5, and BC C# .Net before 2.3.1. Importing an EC certificate with crafted F2m parameters can lead to excessive CPU consumption during the evaluation of the curve parameters.

Other sources

The Bouncy Castle Crypto Package For Java is vulnerable to a denial of service, caused by improper input validation. By importing an EC certificate with crafted F2m parameters, a remote attacker could exploit this vulnerability to cause excessive CPU consumption.

IBM

Affected Software

11 affected componentsFixes available
nuget/BouncyCastle.Cryptography<2.3.1
2.3.1
nuget/BouncyCastle<2.3.1
maven/org.bouncycastle:bc-fips<1.0.2.5
1.0.2.5
maven/org.bouncycastle:bctls-jdk15to18<1.78
1.78
maven/org.bouncycastle:bctls-jdk14<1.78
1.78
maven/org.bouncycastle:bctls-jdk18on<1.78
1.78
maven/org.bouncycastle:bcprov-jdk14<1.78
1.78
maven/org.bouncycastle:bcprov-jdk15to18<1.78
1.78
maven/org.bouncycastle:bcprov-jdk15on<1.78
1.78
maven/org.bouncycastle:bcprov-jdk18on<1.78
1.78
redhat/BC Java<1.78
1.78

Event History

Jan 1, 1970
CVE Published
via MITRE·12:00 AM
May 14, 2024
CVE Published
via NVD·03:17 PM
Data Sourced
via NVD·03:17 PM
DescriptionSeverityWeakness
Advisory Published
via GitHub·03:32 PM
Jun 19, 2024
Data Sourced
via Red Hat·03:36 AM
DescriptionSeverityAffected Software
Dec 6, 2024
Data Sourced
via MITRE·01:20 PM
Description
Feb 4, 2025
Data Sourced
via IBM·12:00 AM
DescriptionAffected Software

Parent advisories

This vulnerability appears in the following advisories.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2024-29857?

CVE-2024-29857 is classified as a security vulnerability that can lead to excessive CPU consumption.

2

How do I fix CVE-2024-29857?

To fix CVE-2024-29857, upgrade Bouncy Castle Java to version 1.78 or later, or for .NET versions, upgrade to BouncyCastle.Cryptography version 2.3.1 or later.

3

Which versions of Bouncy Castle are affected by CVE-2024-29857?

CVE-2024-29857 affects Bouncy Castle Java before version 1.78, BC-FJA before version 1.0.2.5, and Bouncy Castle C# .Net before version 2.3.1.

4

What products are impacted by CVE-2024-29857?

CVE-2024-29857 impacts Bouncy Castle libraries in several frameworks including Java, .NET, and specific IBM products like Security Verify Governance.

5

Is there a workaround for CVE-2024-29857?

There is no documented workaround for CVE-2024-29857; upgrading to the latest versions is the recommended action.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203