This vulnerability (CVE-2026-3505) in BC-JAVA's PGP modules arises from the allocation of resources without limits or throttling (CWE-770). The unbounded size of PGP AEAD chunks can cause excessive resource consumption before authentication, potentially leading to denial of service conditions. It affects all versions prior to 1.84 of BC-JAVA. The CVSS 4.0 score is 10, indicating critical severity with network attack vector, no required privileges or user interaction, and high impact on confidentiality, integrity, availability, and security requirements. No patch or official remediation level has been published by the vendor as of the data provided.

The vulnerability allows an unauthenticated attacker to cause resource exhaustion on systems using vulnerable versions of BC-JAVA by sending specially crafted PGP AEAD chunks of unbounded size. This can lead to denial of service, impacting availability and potentially other security properties of the affected system. No known exploits have been reported in the wild.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official patch or temporary fix is available, users should monitor the vendor's communications for updates. Until a fix is released, consider limiting exposure of services using BC-JAVA or applying application-level resource constraints if possible.