CVE-2019-17359
Description
The ASN.1 parser in Bouncy Castle Crypto (aka BC Java) 1.63 can trigger a large attempted memory allocation, and resultant OutOfMemoryError error, via crafted ASN.1 data. This is fixed in 1.64.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Crafted ASN.1 data can cause excessive memory allocation in Bouncy Castle Crypto 1.63, leading to denial of service via OutOfMemoryError.
The ASN.1 parser in Bouncy Castle Crypto (BC Java) version 1.63 contains a vulnerability that allows specially crafted ASN.1 data to trigger an attempted large memory allocation, resulting in an OutOfMemoryError. This is a denial-of-service (DoS) condition that can crash the Java application or make it unresponsive [1].
An attacker can exploit this by supplying malicious ASN.1 encoded input to an application that uses the vulnerable Bouncy Castle library. No authentication is required if the application parses untrusted ASN.1 data, and the attack can be delivered over the network if the application accepts remote input. The crafted data forces the parser to attempt to allocate an excessive amount of memory, exhausting the available heap space [1].
Successful exploitation leads to a denial of service, disrupting services that rely on Bouncy Castle for cryptographic operations. The vulnerability is fixed in Bouncy Castle Crypto version 1.64. Users should upgrade to version 1.64 or later to mitigate the risk. No workaround is documented [1].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.bouncycastle:bcprov-jdk14Maven | >= 1.63, < 1.64 | 1.64 |
Affected products
3- Bouncy Castle/Cryptodescription
- ghsa-coords2 versions
>= 1.63, < 1.64+ 1 more
- (no CPE)range: >= 1.63, < 1.64
- (no CPE)range: < 1.68-3.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
27- github.com/advisories/GHSA-2mh8-gx2m-mr75ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-17359ghsaADVISORY
- lists.apache.org/thread.html/r02f887807a49cfd1f1ad53f7a61f3f8e12f60ba2c930bec163031209%40%3Ccommits.tomee.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r02f887807a49cfd1f1ad53f7a61f3f8e12f60ba2c930bec163031209@%3Ccommits.tomee.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r16c3a90cb35ae8a9c74fd5c813c16d6ac255709c9f9d71cd409e007d%40%3Ccommits.tomee.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r16c3a90cb35ae8a9c74fd5c813c16d6ac255709c9f9d71cd409e007d@%3Ccommits.tomee.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r467ade3fef3493f1fff1a68a256d087874e1f858ad1de7a49fe05d27%40%3Ccommits.tomee.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r467ade3fef3493f1fff1a68a256d087874e1f858ad1de7a49fe05d27@%3Ccommits.tomee.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r4d475dcaf4f57115fa57d8e06c3823ca398b35468429e7946ebaefdc%40%3Ccommits.tomee.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r4d475dcaf4f57115fa57d8e06c3823ca398b35468429e7946ebaefdc@%3Ccommits.tomee.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r79b6a6aa0dd1aeb57bd253d94794bc96f1ec005953c4bd5414cc0db0%40%3Ccommits.tomee.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r79b6a6aa0dd1aeb57bd253d94794bc96f1ec005953c4bd5414cc0db0@%3Ccommits.tomee.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r8ecb5b76347f84b6e3c693f980dbbead88c25f77b815053c4e6f2c30%40%3Ccommits.tomee.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r8ecb5b76347f84b6e3c693f980dbbead88c25f77b815053c4e6f2c30@%3Ccommits.tomee.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r91b07985b1307390a58c5b9707f0b28ef8e9c9e1c86670459f20d601%40%3Ccommits.tomee.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r91b07985b1307390a58c5b9707f0b28ef8e9c9e1c86670459f20d601@%3Ccommits.tomee.apache.org%3EghsaWEB
- lists.apache.org/thread.html/re60f980c092ada4bfe236dcfef8b6ca3e8f3b150fc0f51b8cc13d59d%40%3Ccommits.tomee.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/re60f980c092ada4bfe236dcfef8b6ca3e8f3b150fc0f51b8cc13d59d@%3Ccommits.tomee.apache.org%3EghsaWEB
- security.netapp.com/advisory/ntap-20191024-0006ghsaWEB
- security.netapp.com/advisory/ntap-20191024-0006/mitrex_refsource_CONFIRM
- www.bouncycastle.org/latest_releases.htmlghsax_refsource_MISCWEB
- www.bouncycastle.org/releasenotes.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpuapr2020.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpujan2020.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpujan2021.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpujul2020.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpuoct2020.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.