High severity7.5NVD Advisory· Published May 14, 2024· Updated Apr 15, 2026
CVE-2024-29857
CVE-2024-29857
Description
An issue was discovered in ECCurve.java and ECCurve.cs in Bouncy Castle Java (BC Java) before 1.78, BC Java LTS before 2.73.6, BC-FJA before 1.0.2.5, and BC C# .Net before 2.3.1. Importing an EC certificate with crafted F2m parameters can lead to excessive CPU consumption during the evaluation of the curve parameters.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.bouncycastle:bcprov-jdk18onMaven | < 1.78 | 1.78 |
org.bouncycastle:bcprov-jdk15onMaven | < 1.78 | 1.78 |
org.bouncycastle:bcprov-jdk15to18Maven | < 1.78 | 1.78 |
org.bouncycastle:bcprov-jdk14Maven | < 1.78 | 1.78 |
org.bouncycastle:bctls-jdk18onMaven | < 1.78 | 1.78 |
org.bouncycastle:bctls-jdk14Maven | < 1.78 | 1.78 |
org.bouncycastle:bctls-jdk15to18Maven | < 1.78 | 1.78 |
org.bouncycastle:bc-fipsMaven | < 1.0.2.5 | 1.0.2.5 |
BouncyCastleNuGet | >= 0 | — |
BouncyCastle.CryptographyNuGet | < 2.3.1 | 2.3.1 |
Patches
356daa6eac526Restrict m value in F2m curves
2 files changed · +31 −7
crypto/src/math/ec/ECCurve.cs+11 −7 modified@@ -607,6 +607,13 @@ public virtual ECPoint DecodePoint(ReadOnlySpan<byte> encoded) } #endif + internal static int ImplGetInteger(string envVariable, int defaultValue) + { + string property = Platform.GetEnvironmentVariable(envVariable); + + return int.TryParse(property, out int value) ? value : defaultValue; + } + private class DefaultLookupTable : AbstractECLookupTable { @@ -757,13 +764,6 @@ private static void ImplCheckQ(BigInteger q) throw new ArgumentException("Fp q value not prime"); } - private static int ImplGetInteger(string envVariable, int defaultValue) - { - string property = Platform.GetEnvironmentVariable(envVariable); - - return int.TryParse(property, out int value) ? value : defaultValue; - } - private static int ImplGetIterations(int bits, int certainty) { /* @@ -966,6 +966,10 @@ public static BigInteger Inverse(int m, int[] ks, BigInteger x) private static IFiniteField BuildField(int m, int k1, int k2, int k3) { + int maxM = ImplGetInteger("Org.BouncyCastle.EC.F2m_MaxSize", 1142); // 2 * 571 + if (m > maxM) + throw new ArgumentException("F2m m value out of range"); + int[] exponents = (k2 | k3) == 0 ? new int[]{ 0, k1, m } : new int[]{ 0, k1, k2, k3, m };
crypto/test/src/math/ec/test/ECPointTest.cs+20 −0 modified@@ -179,6 +179,26 @@ private void ImplTestAdd(ECPoint[] p, ECPoint infinity) } } + [Test] + public void TestLargeMInF2m() + { + int m = 2048; + int k1 = 1; + BigInteger aTpb = new BigInteger("1000", 2); + BigInteger bTpb = new BigInteger("1001", 2); + BigInteger n = new BigInteger("23"); + BigInteger h = new BigInteger("1"); + + try + { + F2mCurve curve = new F2mCurve(m, k1, aTpb, bTpb, n, h); + } + catch (ArgumentException e) + { + Assert.AreEqual("F2m m value out of range", e.Message); + } + } + /** * Calls <code>implTestAdd()</code> for <code>Fp</code> and * <code>F2m</code>.
2 files changed · +24 −5
core/src/main/java/org/bouncycastle/math/ec/ECCurve.java+5 −5 modified@@ -845,6 +845,11 @@ public static BigInteger inverse(int m, int[] ks, BigInteger x) private static FiniteField buildField(int m, int k1, int k2, int k3) { + if (m > Properties.asInteger("org.bouncycastle.ec.max_f2m_field_size", 1142)) // twice 571 + { + throw new IllegalArgumentException("field size out of range: " + m); + } + int[] exponents = (k2 | k3) == 0 ? new int[]{ 0, k1, m } : new int[]{ 0, k1, k2, k3, m }; @@ -1006,11 +1011,6 @@ protected ECFieldElement solveQuadraticEquation(ECFieldElement beta) } int m = this.getFieldSize(); - - if (m > Properties.asInteger("org.bouncycastle.ec.max_f2m_field_size", 1142)) // twice 571 - { - throw new IllegalStateException("field size out of range: " + m); - } // For odd m, use the half-trace if (0 != (m & 1))
core/src/test/java/org/bouncycastle/math/ec/test/ECPointTest.java+19 −0 modified@@ -196,6 +196,25 @@ private void implTestAdd(ECPoint[] p, ECPoint infinity) } } + public void testLargeMInF2m() + { + int m = 2048; + int k1 = 1; + BigInteger aTpb = new BigInteger("1000", 2); + BigInteger bTpb = new BigInteger("1001", 2); + BigInteger n = new BigInteger("23"); + BigInteger h = new BigInteger("1"); + + try + { + ECCurve.F2m curve = new ECCurve.F2m(m, k1, aTpb, bTpb, n, h); + } + catch (IllegalArgumentException e) + { + assertEquals("field size out of range: 2048", e.getMessage()); + } + } + /** * Calls <code>implTestAdd()</code> for <code>Fp</code> and * <code>F2m</code>.
efc498ca4caaadded bounds check on f2m field size.
1 file changed · +5 −0
core/src/main/java/org/bouncycastle/math/ec/ECCurve.java+5 −0 modified@@ -998,6 +998,11 @@ protected ECFieldElement solveQuadraticEquation(ECFieldElement beta) int m = this.getFieldSize(); + if (m > Properties.asInteger("org.bouncycastle.ec.max_f2m_field_size", 1142)) // twice 571 + { + throw new IllegalStateException("field size out of range: " + m); + } + // For odd m, use the half-trace if (0 != (m & 1)) {
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/advisories/GHSA-8xfc-gm6g-vgpvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-29857ghsaADVISORY
- github.com/bcgit/bc-csharp/commit/56daa6eac526f165416d17f661422d60de0dfd63ghsaWEB
- github.com/bcgit/bc-java/commit/efc498ca4caa340ac2fe11f2efee06c1a294501fghsaWEB
- github.com/bcgit/bc-java/commit/fee80dd230e7fba132d03a34f1dd1d6aae0d0281ghsaWEB
- security.netapp.com/advisory/ntap-20241206-0008ghsaWEB
- www.bouncycastle.org/latest_releases.htmlnvdWEB
- security.netapp.com/advisory/ntap-20241206-0008/nvd
News mentions
0No linked articles in our index yet.