Historic bugs found by Project Wycheproof
December 15, 2025 ยท View on GitHub
Package OpenJDK
| Summary | Credits | CVE | Upstream Acknowledgement | Tests |
|---|---|---|---|---|
| Biased DSA, leaks signing key | Daniel Bleichenbacher | CVE-2016-0695 | Oracle Critical Patch Update April 2016 | DsaTest: testDsaBias, testBiasSha1WithDSA |
| GCM's timing attack, leaks auth key | Quan Nguyen | CVE-2016-3426 | Oracle Critical Patch Update April 2016 | N/A |
| GCM updateAAD | Quan nguyen | N/A | Oracle Critical Patch Update April 2016 | AesGcmTest: testLateUpdateAAD |
| GCM wrapped around counter, leaks auth key | Quan Nguyen | N/A | Oracle Critical Patch Update April 2016 | AesGcmTest: testWrappedAroundCounter |
| DSA ArrayIndexOutOfBoundsException | Daniel Bleichenbacher | CVE-2016-5546 | Oracle Critical Patch Update Jan 2017 | DsaTest: testInvalidSignatures |
| RSA OutOfMemoryError | Daniel Bleichenbacher | CVE-2016-5547 | Oracle Critical Patch Update Jan 2017 | RsaSignatureTest: testVectors |
| DSA accepts modified signatures | Daniel Bleichenbacher | CVE-2016-5546 | Oracle Critical Patch Update Jan 2017 | DsaTest: testModifiedSignatures |
| DSA Timing Attack | Daniel Bleichenbacher | CVE-2016-5548 | Oracle Critical Patch Update Jan 2017 | DsaTest: testTiming |
| ECDSA accepts modified signatures | Daniel Bleichenbacher | CVE-2016-5546 | Oracle Critical Patch Update Jan 2017 | EcdsaTest: testModifiedSignatures |
| ECDSA Timing Attack | Daniel Bleichenbacher | CVE-2016-5549 | Oracle Critical Patch Update Jan 2017 | EcdsaTest: testTiming |
| Biased ECDSA | Daniel Bleichenbacher | Ecdsa: testBias |
Package Conscrypt
| Summary | Credits | CVE | Upstream Acknowledgement | Tests |
|---|---|---|---|---|
| ECDH Invalid Curve Attack | Daniel Bleichenbacher | N/A | EcdhTest: multiple tests | |
| GCM IV reuse | Daniel Bleichenbacher | N/A | AesGcmTest: testIvReuse | |
| GCM weak default tag length | Quan Nguyen | N/A | AesGcmTest: testDefaultTagSizeIvParameterSpec |
Package BouncyCastle v1.55 and older
| Summary | Credits | CVE | Upstream Acknowledgement | Tests |
|---|---|---|---|---|
| v1.55 ECDH upstream fix was incomplete | Daniel Bleichenbacher | N/A | Ecdh: multiple tests | |
| ECDHC Invalid curve attack | Daniel Bleichenbacher | N/A | EcdhTest: testModifiedPublic,testModifiedPublicSpec, testWrongOrder | |
| v1.55 PKCS #1 RSA is more vulnerable to CCA attack | Daniel Bleichenbacher | N/A | RsaTest: testExceptions | |
| Dhies uses unsafe ECB mode | Daniel Bleichenbacher | CVE-2016-1000344 | DhiesTest | |
| ECIES use unsafe ECB mode by default for "ECIESWithAES" or "ECIESwithDESede" | Daniel Bleichenbacher | CVE-2016-1000352 | EciesTest: testNotEcb, testDefaultEcies | |
| 1.52 ECIESWithAES-CBC is vulnerable to padding oracle attack | Daniel Bleichenbacher | CVE-2016-1000345 | EciesTest: testExceptions | |
| GCM reuses IV after doFinal() | Daniel Bleichenbacher | N/A | ||
| ECDSA accepts invalid signatures | Daniel Bleichenbacher | CVE-2016-1000342 | EcdsaTest: testModifiedSignatures | |
| DSA accepts invalid signatures | Daniel Bleichenbacher | CVE-2016-1000338 | DsaTest: testModifiedsignatures | |
| DSA generates weak key | Daniel Bleichenbacher | CVE-2016-1000343 | DsaTest: testKeyGeneration | |
| Allows invalid DH public key | Daniel Bleichenbacher | CVE-2016-1000346 | DhTest: incomplete | |
| DSA timing attacks | Daniel Bleichenbacher | CVE-2016-1000341 | DsaTest: testTiming | |
| GCM Wrapped Around Counter | Quan Nguyen | CVE-2015-6644 | Nexus Security Bullentin Jan 2016 | AesGcmTest: testWrappedAroundCounter |
Package Go JOSE (https://github.com/square/go-jose)
| Summary | Credits | CVE | Upstream Acknowledgement | Tests |
|---|---|---|---|---|
| ECDH Invalid Curve Attack | Quan Nguyen | CVE-2016-9121 | $5500 total by Square Inc. for all bugs | |
| Multiple signatures, auth bypass | Quan Nguyen | CVE-2016-9122 | ||
| Integer overflow, HMAC bypass | Quan Nguyen | CVE-2016-9123 | ||
| Accepts embedded HMAC key | Quan Nguyen | N/A |
Package Go crypto
| Summary | Credits | CVE | Upstream Acknowledgement | Tests |
|---|---|---|---|---|
| GCM wrapped around counter | Quan Nguyen | N/A | goo.gl/OdhZcY | |
| P-384 and P-521 ScalarMult DoS | Daniel Bleichenbacher, Harris Baskaran | CVE-2019-6486 | golang/go#29903 | ecdh_secp384r1_test.json, ecdh_secp521r1_test.json |
Package Nimbus JOSE+JWT (https://connect2id.com/products/nimbus-jose-jwt)
| Summary | Credits | CVE | Upstream Acknowledgement | Tests |
|---|---|---|---|---|
| CBC-HMAC is vulnerable to padding oracle attack | Quan Nguyen | N/A | https://goo.gl/ACZQeI | |
| CBC-HMAC integer overflow, HMAC bypass | Quan Nguyen | N/A | https://goo.gl/ACZQeI |
Package OpenSSL
| Summary | Credits | CVE | Upstream Acknowledgement | Tests |
|---|---|---|---|---|
| X25519 incorrect carry handling | Alex Gaynor and Paul Kehrer | N/A | https://github.com/openssl/openssl/issues/6687 | |
| Ed25519 malleable signatures | Paul Kehrer and Alex Gaynor | N/A | https://github.com/openssl/openssl/issues/7693 |
Package LibreSSL
| Summary | Credits | CVE | Upstream Acknowledgement | Tests |
|---|---|---|---|---|
| Overly lax RSA PKCS1v1.5 parsing | Alex Gaynor and Paul Kehrer | N/A | link |
Package JavaScript Elliptic
| Summary | Credits | CVE | Details | Tests |
|---|---|---|---|---|
| ECDSA rejects valid signatures | Markus Schiffermuller | CVE-2024-48948 | Trail of Bits blog | ecdsa_secp*_sha256_test.json |
| EdDSA malleable signatures | Markus Schiffermuller | CVE-2024-48949 | Trail of Bits blog | ed25519_test.json |
| ECDSA malleable signatures | Markus Schiffermuller | CVE-2024-42459 | Trail of Bits blog, elliptic#317 | ecdsa_secp*_sha256_test.json |
| EdDSA malleable signatures | Markus Schiffermuller | CVE-2024-42460 | Trail of Bits blog, elliptic#317 | ed25519_test.json |
| ECDSA malleable signatures | Markus Schiffermuller | CVE-2024-42461 | Trail of Bits blog, elliptic#317 | ecdsa_secp*_sha256_test.json |