CVE-2026-5598
Published: 15 April 2026
Summary
CVE-2026-5598 is a high-severity Covert Timing Channel (CWE-385) vulnerability in Redhat (inferred from references). Its CVSS base score is 8.9 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Credential Access (T1212); ranked at the 39.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-22872
Vulnerability details
Covert timing channel vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA core on all (core modules). This vulnerability is associated with program files FrodoEngine.Java. This issue affects BC-JAVA: from 1.71 before 1.80.2, from 1.81 before 1.81.1, from 1.82 before…
more
1.84.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CWE-385 timing side-channel in Frodo KEM implementation directly enables key recovery (credential access) via local observation of execution timing differences.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Directly targets covert timing channels by requiring identification and bandwidth estimation, enabling mitigation that reduces or eliminates their usability.