Moderate severityNVD Advisory· Published Nov 21, 2022· Updated Aug 3, 2024

CVE-2022-45146

Description

An issue was discovered in the FIPS Java API of Bouncy Castle BC-FJA before 1.0.2.4. Changes to the JVM garbage collector in Java 13 and later trigger an issue in the BC-FJA FIPS modules where it is possible for temporary keys used by the module to be zeroed out while still in use by the module, resulting in errors or potential information loss. NOTE: FIPS compliant users are unaffected because the FIPS certification is only for Java 7, 8, and 11.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Temporary keys in Bouncy Castle BC-FJA before 1.0.2.4 can be zeroed by the Java 13+ garbage collector while still in use, causing errors or information loss.

What the vulnerability is

CVE-2022-45146 affects the Bouncy Castle FIPS Java API (BC-FJA) in versions prior to 1.0.2.4. The root cause is a change in the JVM garbage collector behavior introduced in Java 13 and later. Under specific conditions, temporary cryptographic keys held by the BC-FJA module can be garbage-collected and zeroed out while the module still holds references to them, leading to the use of cleared key material.

How it is exploited

Exploitation does not require network access or authentication by an attacker; it is a functional defect triggered by normal JVM operation. Any application using the BC-FJA FIPS modules on Java 13 or later may encounter this issue. The garbage collector may reclaim and zero temporary key objects before the BC-FJA module has finished using them, causing the module to operate on null or cleared key data.

Impact

The impact includes errors during cryptographic operations and potential information loss. In some scenarios, the unintended clearing of keys could lead to denial of service or the exposure of partial cryptographic states. However, the official advisory notes that FIPS-compliant users are unaffected because the FIPS certification covers only Java 7, 8, and 11 [1].

Mitigation status

The issue is fixed in BC-FJA version 1.0.2.4 [1]. Users running on Java 13 or later are strongly advised to upgrade to the patched version. For those restricted to FIPS-certified Java versions (7, 8, 11), the vulnerability does not apply because the garbage collector behavior in those Java versions does not trigger the issue [1].

References

NVD - CVE-2022-45146

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.bouncycastle:bc-fipsMaven	< 1.0.2.4	1.0.2.4

Affected products

Bouncy Castle/BC-FJAdescription
osv-coords92 versions
pkg:apk/chainguard/elasticsearch-7 pkg:apk/chainguard/elasticsearch-7-bitnami pkg:apk/chainguard/elasticsearch-7-iamguarded pkg:apk/chainguard/elasticsearch-8 pkg:apk/chainguard/elasticsearch-8-bitnami pkg:apk/chainguard/elasticsearch-8-config pkg:apk/chainguard/elasticsearch-8-iamguarded pkg:apk/chainguard/elasticsearch-config pkg:apk/chainguard/opensearch-2 pkg:apk/chainguard/opensearch-2-alerting pkg:apk/chainguard/opensearch-2-analysis-icu pkg:apk/chainguard/opensearch-2-analysis-kuromoji pkg:apk/chainguard/opensearch-2-analysis-nori pkg:apk/chainguard/opensearch-2-analysis-phonetic pkg:apk/chainguard/opensearch-2-analysis-smartcn pkg:apk/chainguard/opensearch-2-analysis-stempel pkg:apk/chainguard/opensearch-2-analysis-ukrainian pkg:apk/chainguard/opensearch-2-anomaly-detection pkg:apk/chainguard/opensearch-2-asynchronous-search pkg:apk/chainguard/opensearch-2-cross-cluster-replication pkg:apk/chainguard/opensearch-2-crypto-kms pkg:apk/chainguard/opensearch-2-custom-codecs pkg:apk/chainguard/opensearch-2-discovery-azure-classic pkg:apk/chainguard/opensearch-2-discovery-ec2 pkg:apk/chainguard/opensearch-2-discovery-gce pkg:apk/chainguard/opensearch-2-entrypoint-compat pkg:apk/chainguard/opensearch-2-geospatial pkg:apk/chainguard/opensearch-2-identity-shiro pkg:apk/chainguard/opensearch-2-index-management pkg:apk/chainguard/opensearch-2-ingest-attachment pkg:apk/chainguard/opensearch-2-job-scheduler pkg:apk/chainguard/opensearch-2-k-nn pkg:apk/chainguard/opensearch-2-mapper-annotated-text pkg:apk/chainguard/opensearch-2-mapper-murmur3 pkg:apk/chainguard/opensearch-2-mapper-size pkg:apk/chainguard/opensearch-2-ml-commons pkg:apk/chainguard/opensearch-2-neural-search pkg:apk/chainguard/opensearch-2-notifications pkg:apk/chainguard/opensearch-2-observability pkg:apk/chainguard/opensearch-2-performance-analyzer pkg:apk/chainguard/opensearch-2-reporting pkg:apk/chainguard/opensearch-2-repository-azure pkg:apk/chainguard/opensearch-2-repository-gcs pkg:apk/chainguard/opensearch-2-repository-s3 pkg:apk/chainguard/opensearch-2-security pkg:apk/chainguard/opensearch-2-security-analytics pkg:apk/chainguard/opensearch-2-sql pkg:apk/chainguard/opensearch-2-store-smb pkg:apk/chainguard/opensearch-2-telemetry-otel pkg:apk/chainguard/opensearch-2-transport-nio pkg:apk/wolfi/opensearch-2 pkg:apk/wolfi/opensearch-2-alerting pkg:apk/wolfi/opensearch-2-analysis-icu pkg:apk/wolfi/opensearch-2-analysis-kuromoji pkg:apk/wolfi/opensearch-2-analysis-nori pkg:apk/wolfi/opensearch-2-analysis-phonetic pkg:apk/wolfi/opensearch-2-analysis-smartcn pkg:apk/wolfi/opensearch-2-analysis-stempel pkg:apk/wolfi/opensearch-2-analysis-ukrainian pkg:apk/wolfi/opensearch-2-anomaly-detection pkg:apk/wolfi/opensearch-2-asynchronous-search pkg:apk/wolfi/opensearch-2-cross-cluster-replication pkg:apk/wolfi/opensearch-2-crypto-kms pkg:apk/wolfi/opensearch-2-custom-codecs pkg:apk/wolfi/opensearch-2-discovery-azure-classic pkg:apk/wolfi/opensearch-2-discovery-ec2 pkg:apk/wolfi/opensearch-2-discovery-gce pkg:apk/wolfi/opensearch-2-geospatial pkg:apk/wolfi/opensearch-2-identity-shiro pkg:apk/wolfi/opensearch-2-index-management pkg:apk/wolfi/opensearch-2-ingest-attachment pkg:apk/wolfi/opensearch-2-job-scheduler pkg:apk/wolfi/opensearch-2-k-nn pkg:apk/wolfi/opensearch-2-mapper-annotated-text pkg:apk/wolfi/opensearch-2-mapper-murmur3 pkg:apk/wolfi/opensearch-2-mapper-size pkg:apk/wolfi/opensearch-2-ml-commons pkg:apk/wolfi/opensearch-2-neural-search pkg:apk/wolfi/opensearch-2-notifications pkg:apk/wolfi/opensearch-2-observability pkg:apk/wolfi/opensearch-2-performance-analyzer pkg:apk/wolfi/opensearch-2-reporting pkg:apk/wolfi/opensearch-2-repository-azure pkg:apk/wolfi/opensearch-2-repository-gcs pkg:apk/wolfi/opensearch-2-repository-s3 pkg:apk/wolfi/opensearch-2-security pkg:apk/wolfi/opensearch-2-security-analytics pkg:apk/wolfi/opensearch-2-sql pkg:apk/wolfi/opensearch-2-store-smb pkg:apk/wolfi/opensearch-2-telemetry-otel pkg:apk/wolfi/opensearch-2-transport-nio pkg:maven/org.bouncycastle/bc-fips
< 7.17.15-r0+ 91 more
- (no CPE)range: < 7.17.15-r0
- (no CPE)range: < 7.17.15-r0
- (no CPE)range: < 7.17.15-r0
- (no CPE)range: < 8.12.1-r0
- (no CPE)range: < 8.12.1-r0
- (no CPE)range: < 8.12.1-r0
- (no CPE)range: < 8.12.1-r0
- (no CPE)range: < 8.12.1-r0
- (no CPE)range: < 2.11.1-r1
- (no CPE)range: < 2.11.1-r1
- (no CPE)range: < 2.11.1-r1
- (no CPE)range: < 2.11.1-r1
- (no CPE)range: < 2.11.1-r1
- (no CPE)range: < 2.11.1-r1
- (no CPE)range: < 2.11.1-r1
- (no CPE)range: < 2.11.1-r1
- (no CPE)range: < 2.11.1-r1
- (no CPE)range: < 2.11.1-r1
- (no CPE)range: < 2.11.1-r1
- (no CPE)range: < 2.11.1-r1
- (no CPE)range: < 2.11.1-r1
- (no CPE)range: < 2.11.1-r1
- (no CPE)range: < 2.11.1-r1
- (no CPE)range: < 2.11.1-r1
- (no CPE)range: < 2.11.1-r1
- (no CPE)range: < 2.11.1-r1
- (no CPE)range: < 2.11.1-r1
- (no CPE)range: < 2.11.1-r1
- (no CPE)range: < 2.11.1-r1
- (no CPE)range: < 2.11.1-r1
- (no CPE)range: < 2.11.1-r1
- (no CPE)range: < 2.11.1-r1
- (no CPE)range: < 2.11.1-r1
- (no CPE)range: < 2.11.1-r1
- (no CPE)range: < 2.11.1-r1
- (no CPE)range: < 2.11.1-r1
- (no CPE)range: < 2.11.1-r1
- (no CPE)range: < 2.11.1-r1
- (no CPE)range: < 2.11.1-r1
- (no CPE)range: < 2.11.1-r1
- (no CPE)range: < 2.11.1-r1
- (no CPE)range: < 2.11.1-r1
- (no CPE)range: < 2.11.1-r1
- (no CPE)range: < 2.11.1-r1
- (no CPE)range: < 2.11.1-r1
- (no CPE)range: < 2.11.1-r1
- (no CPE)range: < 2.11.1-r1
- (no CPE)range: < 2.11.1-r1
- (no CPE)range: < 2.11.1-r1
- (no CPE)range: < 2.11.1-r1
- (no CPE)range: < 2.11.1-r1
- (no CPE)range: < 2.11.1-r1
- (no CPE)range: < 2.11.1-r1
- (no CPE)range: < 2.11.1-r1
- (no CPE)range: < 2.11.1-r1
- (no CPE)range: < 2.11.1-r1
- (no CPE)range: < 2.11.1-r1
- (no CPE)range: < 2.11.1-r1
- (no CPE)range: < 2.11.1-r1
- (no CPE)range: < 2.11.1-r1
- (no CPE)range: < 2.11.1-r1
- (no CPE)range: < 2.11.1-r1
- (no CPE)range: < 2.11.1-r1
- (no CPE)range: < 2.11.1-r1
- (no CPE)range: < 2.11.1-r1
- (no CPE)range: < 2.11.1-r1
- (no CPE)range: < 2.11.1-r1
- (no CPE)range: < 2.11.1-r1
- (no CPE)range: < 2.11.1-r1
- (no CPE)range: < 2.11.1-r1
- (no CPE)range: < 2.11.1-r1
- (no CPE)range: < 2.11.1-r1
- (no CPE)range: < 2.11.1-r1
- (no CPE)range: < 2.11.1-r1
- (no CPE)range: < 2.11.1-r1
- (no CPE)range: < 2.11.1-r1
- (no CPE)range: < 2.11.1-r1
- (no CPE)range: < 2.11.1-r1
- (no CPE)range: < 2.11.1-r1
- (no CPE)range: < 2.11.1-r1
- (no CPE)range: < 2.11.1-r1
- (no CPE)range: < 2.11.1-r1
- (no CPE)range: < 2.11.1-r1
- (no CPE)range: < 2.11.1-r1
- (no CPE)range: < 2.11.1-r1
- (no CPE)range: < 2.11.1-r1
- (no CPE)range: < 2.11.1-r1
- (no CPE)range: < 2.11.1-r1
- (no CPE)range: < 2.11.1-r1
- (no CPE)range: < 2.11.1-r1
- (no CPE)range: < 2.11.1-r1
- (no CPE)range: < 1.0.2.4

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-68m8-v89j-7j2pghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2022-45146ghsaADVISORY
mvnrepository.com/artifact/org.bouncycastle/bc-fipsghsaWEB
www.bouncycastle.org/latest_releases.htmlghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000