CVE‐2026‐0636

Issue affecting: BC 1.83 and earlier.

Fixed versions: BC 1.84

Platform affected: Java 4 and later.

Bouncy Castle provides a secondary API for use with LDAP servers for doing certificate processing. Pre-1.84, using similar code to the problem code fixed by CVE-2023-33201 the implementation of the LDAP classes under org.bouncycastle.x509 did not check the X.500 name of any certificate, subject, or issuer being passed in for LDAP wild cards, meaning the presence of a wild card may lead to Information Disclosure if the API is used in a manner which may accept un-vetted certificates. The API in question needs to be invoked explicitly in order to be used.

The fix was introduced in commit d20cdb8430e09224114fec0179a71859929fcbde which refactored out the LDAP DN parsing code used across the APIs into a single class.

We gratefully acknowledge the efforts of Prasanth Sundararajan <prasanth.srihariAgmail.com> in identifying this issue.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

CVE‐2026‐0636

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Clone this wiki locally