Skip to content

CVE‐2026‐15997

David Hook edited this page Jul 16, 2026 · 1 revision

Title: Native ARM SHA3/SHAKE 'restoreFullState' fails to detect size_t underflow in a crafted encoded state

Issue affecting: BC-LTS 2.73.0 to 2.73.12.

Fixed versions: BC-LTS 2.73.12.1

Platform affected: Java 8 and later (ARM PAA instructions sets)

ARM-NEON-only (there is no Intel native SHA3/SHAKE — Intel uses the pure-Java digest). The state-restore decodes a full sha3_ctx/shake_ctx from caller bytes and re-establishes only some invariants. It recomputes rate_bytes from the (validated) bitLen, but the buffer-index bound check is against the maximum buffer size, not the variant's actual rate.

This could lead to unintended memory excursion if the application is accepting specially crafted persisted state for SHA3 / SHAKE digests.

https://github.com/bcgit/bc-lts-java/commit/f5df0d2ac1fce2454a8efb55ffd5b08011858c89

Clone this wiki locally