CVE‐2025‐12194

Issue affecting: BC-FJA 2.1.1, BC-LTS 2.73.0

Fixed versions: BC-FJA 2.1.2, BC-LTS 2.73.8

Platform affected: All JVMs.

Further issues have shown up in high-core environments with Java 21 and BC-FJA 2.1.1. It appears under very high loads the scheduling of the disposal thread is such that it only gets called rarely, or at least not soon enough. The issue has been fixed by introducing the use of reachability-fencing. This available in Java 9 and later, so Java 8 is still using the disposal daemon as before has been changed to reduce friction (synchronized has been introduced where some friction is still required). A new property has also been added "org.bouncycastle.native.cleanup_priority" which can be set to "min", "normal", or "high" (default "min") in case disposal thread scheduling will be beneficial for Java 8 as well.

It should be noted that while we have received reports of this issue for BC-FJA 2.1.1, we have not received any for BC-LTS 2.73.7, however analysis indicates that the problem must be present and should show up eventually if not dealt with by upgrading.

Fix Commits

Introduction of Reachability-Fencing https://github.com/bcgit/bc-lts-java/commit/f2776feac0c30230f7a5ac34eb24f5019caf0324

Directory rename https://github.com/bcgit/bc-lts-java/commit/2c9be6c64152ce48c6afc784c042a514be71ec71