CVE Vulnerabilities

CVE-2026-5598

Covert Timing Channel

Published: Apr 15, 2026 | Modified: Jun 30, 2026
CVSS 3.x
N/A
Source:
NVD
CVSS 2.x
RedHat/V2
RedHat/V3
7.5 IMPORTANT
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Ubuntu
MEDIUM
root.io logo minimus.io logo echo.ai logo

Covert timing channel vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA core on all (core modules).

This vulnerability is associated with program files FrodoEngine.Java.

This issue affects BC-JAVA: from 1.71 before 1.80.2, from 1.81 before 1.81.1, from 1.82 before 1.84.

Weakness

Covert timing channels convey information by modulating some aspect of system behavior over time, so that the program receiving the information can observe system behavior and infer protected information.

Affected Software

NameVendorStart VersionEnd Version
Red Hat JBoss Enterprise Application Platform 7RedHat*
Red Hat JBoss Enterprise Application Platform 7.4 ELS on RHEL 7RedHateap7-bouncycastle-0:1.84.0-1.redhat_00001.1.el7eap*
Red Hat JBoss Enterprise Application Platform 7.4 ELS on RHEL 8RedHateap7-bouncycastle-0:1.84.0-1.redhat_00001.1.el8eap*
Red Hat JBoss Enterprise Application Platform 7.4 ELS on RHEL 9RedHateap7-bouncycastle-0:1.84.0-1.redhat_00001.1.el9eap*
Red Hat JBoss Enterprise Application Platform 8.1RedHatbcprov-jdk12*
Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 8RedHateap8-bouncycastle-0:1.84.0-1.redhat_00001.1.el8eap*
Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 9RedHateap8-bouncycastle-0:1.84.0-1.redhat_00001.1.el9eap*
BouncycastleUbuntuesm-apps/xenial*

Extended Description

In some instances, knowing when data is transmitted between parties can provide a malicious user with privileged information. Also, externally monitoring the timing of operations can potentially reveal sensitive data. For example, a cryptographic operation can expose its internal state if the time it takes to perform the operation varies, based on the state. Covert channels are frequently classified as either storage or timing channels. Some examples of covert timing channels are the system’s paging rate, the time a certain transaction requires to execute, and the time it takes to gain access to a shared bus.

Potential Mitigations

References