CVE-2020-26939
Description
In Legion of the Bouncy Castle BC before 1.61 and BC-FJA before 1.0.1.2, attackers can obtain sensitive information about a private exponent because of Observable Differences in Behavior to Error Inputs. This occurs in org.bouncycastle.crypto.encodings.OAEPEncoding. Sending invalid ciphertext that decrypts to a short payload in the OAEP Decoder could result in the throwing of an early exception, potentially leaking some information about the private exponent of the RSA private key performing the encryption.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
OAEP decoding in Bouncy Castle before 1.61/BC-FJA 1.0.1.2 leaks RSA private exponent info through early exceptions on short plaintext.
Root
Cause
The vulnerability resides in org.bouncycastle.crypto.encodings.OAEPEncoding. When the OAEP decoder receives invalid ciphertext that decrypts to a payload shorter than (2 * defHash.length) + 1, it throws an early exception before fully validating the padding [1][3]. This observable difference in behavior — specifically, the timing and occurrence of the exception — can be exploited to deduce information about the RSA private exponent [1].
Exploitation
An attacker must be able to send carefully crafted ciphertexts to a system that uses the vulnerable OAEP decoding logic. By observing whether an exception is thrown early (due to short payload) versus later (due to padding mismatch), the attacker can perform a side-channel attack. The attack does not require authentication if the decryption endpoint is accessible, and it can be carried out remotely over a network [1].
Impact
Successful exploitation allows an attacker to gradually leak bits of the RSA private exponent. This compromises the confidentiality of all data encrypted with the associated public key and undermines the security guarantees of the OAEP padding scheme [1][3].
Mitigation
Patched versions are BC 1.61 and BC-FJA 1.0.1.2 (or later) [3]. The fix ensures that a constant-time path is taken regardless of the decrypted payload length, as shown in commit 930f8b2 [2]. As a workaround, implementers can mimic RFC 5246 Section 7.4.7.1 by performing a length check on raw RSA decryption and returning failure consistently [3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.bouncycastle:bcprov-jdk14Maven | < 1.61 | 1.61 |
org.bouncycastle:bcprov-jdk15Maven | < 1.61 | 1.61 |
org.bouncycastle:bcprov-jdk16Maven | < 1.61 | 1.61 |
org.bouncycastle:bc-fipsMaven | < 1.0.2 | 1.0.2 |
org.bouncycastle:bcprov-ext-jdk15onMaven | < 1.61 | 1.61 |
org.bouncycastle:bcprov-ext-jdk16Maven | < 1.61 | 1.61 |
org.bouncycastle:bcprov-jdk15onMaven | < 1.61 | 1.61 |
org.bouncycastle:bcprov-jdk15to18Maven | < 1.61 | 1.61 |
Affected products
9- Legion of the Bouncy Castle/BCdescription
- ghsa-coords8 versionspkg:maven/org.bouncycastle/bc-fipspkg:maven/org.bouncycastle/bcprov-ext-jdk15onpkg:maven/org.bouncycastle/bcprov-ext-jdk16pkg:maven/org.bouncycastle/bcprov-jdk14pkg:maven/org.bouncycastle/bcprov-jdk15pkg:maven/org.bouncycastle/bcprov-jdk15onpkg:maven/org.bouncycastle/bcprov-jdk15to18pkg:maven/org.bouncycastle/bcprov-jdk16
< 1.0.2+ 7 more
- (no CPE)range: < 1.0.2
- (no CPE)range: < 1.61
- (no CPE)range: < 1.61
- (no CPE)range: < 1.61
- (no CPE)range: < 1.61
- (no CPE)range: < 1.61
- (no CPE)range: < 1.61
- (no CPE)range: < 1.61
Patches
1930f8b274c4ffurther work to improve constant time in OAEP and RSA core.
2 files changed · +28 −11
core/src/main/java/org/bouncycastle/crypto/encodings/OAEPEncoding.java+11 −4 modified@@ -221,10 +221,17 @@ public byte[] decodeBlock( // on encryption, we need to make sure our decrypted block comes back // the same size. // + boolean wrongData = (block.length < (2 * defHash.length) + 1); - System.arraycopy(data, 0, block, block.length - data.length, data.length); - - boolean shortData = (block.length < (2 * defHash.length) + 1); + if (data.length <= block.length) + { + System.arraycopy(data, 0, block, block.length - data.length, data.length); + } + else + { + System.arraycopy(data, 0, block, 0, block.length); + wrongData = true; + } // // unmask the seed. @@ -278,7 +285,7 @@ public byte[] decodeBlock( start++; - if (defHashWrong | shortData | dataStartWrong) + if (defHashWrong | wrongData | dataStartWrong) { Arrays.fill(block, (byte)0); throw new InvalidCipherTextException("data wrong");
core/src/main/java/org/bouncycastle/crypto/engines/RSACoreEngine.java+17 −7 modified@@ -1,12 +1,13 @@ package org.bouncycastle.crypto.engines; +import java.math.BigInteger; + import org.bouncycastle.crypto.CipherParameters; import org.bouncycastle.crypto.DataLengthException; import org.bouncycastle.crypto.params.ParametersWithRandom; import org.bouncycastle.crypto.params.RSAKeyParameters; import org.bouncycastle.crypto.params.RSAPrivateCrtKeyParameters; - -import java.math.BigInteger; +import org.bouncycastle.util.Arrays; /** * this does your basic RSA algorithm. @@ -142,20 +143,29 @@ public byte[] convertOutput( return tmp; } + + return output; } else { + byte[] rv; if (output[0] == 0) // have ended up with an extra zero byte, copy down. { - byte[] tmp = new byte[output.length - 1]; + rv = new byte[output.length - 1]; - System.arraycopy(output, 1, tmp, 0, tmp.length); + System.arraycopy(output, 1, rv, 0, rv.length); + } + else // maintain decryption time + { + rv = new byte[output.length]; - return tmp; + System.arraycopy(output, 0, rv, 0, rv.length); } - } - return output; + Arrays.fill(output, (byte)0); + + return rv; + } } public BigInteger processBlock(BigInteger input)
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-72m5-fvvv-55m6ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-26939ghsaADVISORY
- github.com/bcgit/bc-java/commit/930f8b274c4f1f3a46e68b5441f1e7fadb57e8c1ghsaWEB
- lists.apache.org/thread.html/r8c36ba34e80e05eecb1f80071cc834d705616f315b634ec0c7d8f42e%40%3Cissues.solr.apache.org%3Eghsamailing-listx_refsource_MLISTWEB
- lists.apache.org/thread.html/r8c36ba34e80e05eecb1f80071cc834d705616f315b634ec0c7d8f42e@%3Cissues.solr.apache.org%3EghsaWEB
- lists.debian.org/debian-lts-announce/2020/11/msg00007.htmlghsaWEB
- security.netapp.com/advisory/ntap-20201202-0005ghsaWEB
News mentions
0No linked articles in our index yet.