CVE-2025-9341 identifies a resource exhaustion vulnerability in Legion of the Bouncy Castle Inc.'s Bouncy Castle for Java FIPS and LTS cryptographic libraries. The vulnerability is categorized under CWE-400, indicating uncontrolled resource consumption. It specifically impacts the AESNativeCBC implementation in the Java API modules, where crafted inputs or operations can trigger excessive memory allocation. This can degrade system performance or cause denial of service by exhausting available memory resources. The affected versions include Bouncy Castle for Java FIPS 2.1.0 and LTS versions from 2.73.0 through 2.73.7. The vulnerability requires local access with low privileges (attack vector: local) and no user interaction, making exploitation somewhat limited but still feasible in multi-user or shared environments. The CVSS 4.0 vector indicates low attack complexity but partial impact on availability and confidentiality, with no impact on integrity. No public exploits have been reported yet, but the presence of this vulnerability in widely used cryptographic libraries raises concerns for applications relying on these modules for secure communications and data protection. The issue stems from inefficient handling of resource allocation in AES CBC mode implementations, which can be triggered by specific API calls or malformed inputs. This could lead to denial of service conditions affecting dependent applications and services.

For European organizations, the primary impact is potential denial of service due to excessive memory consumption in applications using the vulnerable Bouncy Castle Java FIPS or LTS libraries. This can disrupt critical services, especially those relying on cryptographic operations for secure communications, data encryption, or authentication. Financial institutions, government agencies, and enterprises with Java-based infrastructure may experience service outages or degraded performance. Although the vulnerability does not directly compromise data integrity or confidentiality, service unavailability can indirectly affect business continuity and trust. The requirement for local access limits remote exploitation, but insider threats or compromised internal systems could leverage this vulnerability. Additionally, organizations with multi-tenant environments or shared hosting could see broader impact if one tenant triggers resource exhaustion. The lack of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits over time.

Organizations should monitor memory and resource usage of applications utilizing Bouncy Castle Java FIPS or LTS libraries, particularly those performing AES CBC operations. Implementing resource limits and quotas at the OS or container level can help contain potential exhaustion. It is critical to track vendor advisories for patches or updated library versions addressing CVE-2025-9341 and apply them promptly once released. In the interim, restrict local access to trusted users only and audit usage of cryptographic APIs to detect abnormal patterns. Employ application-level input validation to prevent malformed or unexpected inputs that could trigger excessive allocations. Consider isolating critical cryptographic services in hardened environments with strict resource controls. Additionally, review and update incident response plans to include scenarios involving resource exhaustion attacks targeting cryptographic components.