CVE-2026-15997
Received Received - Intake

Out-of-Bounds Write in Bouncy Castle BC-LTS bcprov-lts8on ARM

Vulnerability report for CVE-2026-15997, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-16

Last updated on: 2026-07-16

Assigner: bcorg

Description

Out-of-bounds write vulnerability in Legion of the Bouncy Castle Inc. BC-LTS bcprov-lts8on on ARM allows Overflow Buffers. This vulnerability is associated with program files https://github.Com/bcgit/bc-lts-java/blob/main/native_c/arm/sha/shake.C, https://github.Com/bcgit/bc-lts-java/blob/main/native_c/arm/sha/sha3.C. This issue affects BC-LTS: from 2.73.0 before 2.73.12.1. Issue is only applicable if application involved is accepting memoable SHA3 / SHAKE states from potentially untrusted sources.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-16
Last Modified
2026-07-16
Generated
2026-07-17
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
legion_of_the_bouncy_castle_inc bcprov_lts8on From 2.73.0 (inc) to 2.73.12.1 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This is an out-of-bounds write vulnerability in the Bouncy Castle cryptographic library's BC-LTS bcprov-lts8on component specifically on ARM processors. It allows buffer overflows in the SHA3 and SHAKE state handling functions.

Detection Guidance

Detection requires checking if your system uses BC-LTS versions 2.73.0 to 2.73.12.1 and if SHA3/SHAKE states are accepted from untrusted sources. Review application logs for memory corruption errors or crashes in bcprov-lts8on libraries.

Impact Analysis

The impact is limited to applications that accept SHA3 or SHAKE states from untrusted sources. An attacker could exploit this to cause memory corruption or execute arbitrary code in the context of the vulnerable application.

Mitigation Strategies

Upgrade BC-LTS to version 2.73.12.1 or later. Disable SHA3/SHAKE state acceptance from untrusted sources if possible. Monitor for memory corruption issues in affected applications.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-15997. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart