UNKNOWN Maven
Bouncy Castle for Java GOST 28147 CTR mode reuses keystream after 255 blocks
GHSA-574f-3g2m-x479 · CVE-2025-14813
Published · Modified
Description
The GOST 28147-2015 CTR mode implementation (G3413CTRBlockCipher) in the Legion of the Bouncy Castle BC-JAVA bcprov core module only increments the final byte of the counter, so the counter wraps after 255 blocks and the keystream is reused. Reusing CTR keystream allows an attacker who can observe two ciphertexts produced with the same key/IV to recover the XOR of the plaintexts, breaking confidentiality. Affects BC-JAVA from 1.59 before 1.84 (with backported fixes in 1.80.2 and 1.81.1).
References
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2025-14813
- WEB https://github.com/bcgit/bc-java/commit/b42574345414e4b7c8051b16fa1fafe01c29871f
- WEB https://github.com/bcgit/bc-java/commit/701686cb0184cd9ae103c801b3581fdf95c6d4f3
- WEB https://security.access.redhat.com/data/csaf/v2/vex/2025/cve-2025-14813.json
- WEB https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902025%E2%80%9014813
- PACKAGE https://github.com/bcgit/bc-java
- WEB https://bugzilla.redhat.com/show_bug.cgi?id=2458640
- WEB https://access.redhat.com/security/cve/CVE-2025-14813
- WEB https://access.redhat.com/errata/RHSA-2026:24977
- WEB https://access.redhat.com/errata/RHSA-2026:21772
- WEB https://access.redhat.com/errata/RHSA-2026:18059
- WEB https://access.redhat.com/errata/RHSA-2026:18055
- WEB https://access.redhat.com/errata/RHSA-2026:18054
- WEB https://access.redhat.com/errata/RHSA-2026:17668
- WEB https://access.redhat.com/errata/RHSA-2026:14276
- WEB https://access.redhat.com/errata/RHSA-2026:14272
- WEB https://access.redhat.com/errata/RHSA-2026:13631
- WEB https://access.redhat.com/errata/RHSA-2026:11721
- WEB https://access.redhat.com/errata/RHSA-2026:11720
Ready to move
Start Securing
Free, no credit card | First findings in minutes