CVE-2025-9341 is a medium-severity vulnerability classified under CWE-400 (Uncontrolled Resource Consumption) affecting Legion of the Bouncy Castle Inc.'s Bouncy Castle for Java FIPS library, specifically version BC-FJA 2.1.0. The vulnerability arises from excessive allocation of resources within the AESNativeCBC.Java component, which is part of the cryptographic API modules. This uncontrolled resource consumption can lead to denial-of-service (DoS) conditions by exhausting system resources such as memory or CPU cycles when processing specially crafted inputs. The vulnerability does not require user interaction or privileges to exploit but does require local access (AV:L - Attack Vector: Local). The attack complexity is low, and no authentication is needed, but the attacker must have local access to the system. The vulnerability impacts availability significantly (VA:H), while confidentiality and integrity impacts are considered low or none. The scope is partial (S:P), meaning the vulnerability affects components within the same security authority but does not extend beyond it. No known exploits are currently reported in the wild, and no patches have been linked yet. The CVSS 4.0 base score is 5.9, reflecting a medium severity level. The vulnerability affects all API modules in the specified version, indicating that any Java application using this FIPS-certified cryptographic library version is potentially vulnerable to resource exhaustion attacks, which could degrade or disrupt service availability.

For European organizations, the impact of CVE-2025-9341 can be significant, especially for those relying on Bouncy Castle for Java FIPS in critical applications such as financial services, healthcare, government, and telecommunications. The vulnerability could be exploited to cause denial-of-service conditions, leading to service outages or degraded performance in cryptographic operations, which are foundational for secure communications and data protection. This could disrupt business operations, affect compliance with data protection regulations like GDPR, and erode customer trust. Since the vulnerability requires local access, the risk is higher in environments where multiple users have access to the same systems or where attackers can gain foothold through other means. The partial scope containment means that while the impact is limited to the affected components, the disruption of cryptographic services can have cascading effects on dependent systems and applications. Organizations with automated cryptographic workflows or high transaction volumes may experience amplified effects. Additionally, the lack of a patch at the time of disclosure necessitates immediate risk mitigation to prevent exploitation.

To mitigate CVE-2025-9341 effectively, European organizations should: 1) Immediately audit and inventory all systems and applications using Bouncy Castle for Java FIPS version BC-FJA 2.1.0 to identify vulnerable instances. 2) Restrict local access to systems running the vulnerable library to trusted personnel only, implementing strict access controls and monitoring for unusual local activity. 3) Employ resource usage monitoring and alerting to detect abnormal memory or CPU consumption patterns indicative of exploitation attempts. 4) Where feasible, isolate cryptographic services in dedicated environments or containers to limit the impact of resource exhaustion. 5) Engage with Legion of the Bouncy Castle Inc. or trusted vendors to obtain patches or updated versions as soon as they become available and plan for prompt deployment. 6) Implement defense-in-depth strategies such as application whitelisting, endpoint detection and response (EDR) tools, and network segmentation to reduce the attack surface. 7) Conduct penetration testing and vulnerability scanning focused on local privilege escalation and resource exhaustion scenarios to identify potential exploitation paths. 8) Educate system administrators and developers about the vulnerability to ensure secure coding and operational practices around cryptographic libraries.