Historic bugs found by Project Wycheproof

December 15, 2025 ยท View on GitHub

Package OpenJDK

SummaryCreditsCVEUpstream AcknowledgementTests
Biased DSA, leaks signing keyDaniel BleichenbacherCVE-2016-0695Oracle Critical Patch Update April 2016DsaTest: testDsaBias, testBiasSha1WithDSA
GCM's timing attack, leaks auth keyQuan NguyenCVE-2016-3426Oracle Critical Patch Update April 2016N/A
GCM updateAADQuan nguyenN/AOracle Critical Patch Update April 2016AesGcmTest: testLateUpdateAAD
GCM wrapped around counter, leaks auth keyQuan NguyenN/AOracle Critical Patch Update April 2016AesGcmTest: testWrappedAroundCounter
DSA ArrayIndexOutOfBoundsExceptionDaniel BleichenbacherCVE-2016-5546Oracle Critical Patch Update Jan 2017DsaTest: testInvalidSignatures
RSA OutOfMemoryErrorDaniel BleichenbacherCVE-2016-5547Oracle Critical Patch Update Jan 2017RsaSignatureTest: testVectors
DSA accepts modified signaturesDaniel BleichenbacherCVE-2016-5546Oracle Critical Patch Update Jan 2017DsaTest: testModifiedSignatures
DSA Timing AttackDaniel BleichenbacherCVE-2016-5548Oracle Critical Patch Update Jan 2017DsaTest: testTiming
ECDSA accepts modified signaturesDaniel BleichenbacherCVE-2016-5546Oracle Critical Patch Update Jan 2017EcdsaTest: testModifiedSignatures
ECDSA Timing AttackDaniel BleichenbacherCVE-2016-5549Oracle Critical Patch Update Jan 2017EcdsaTest: testTiming
Biased ECDSADaniel BleichenbacherEcdsa: testBias

Package Conscrypt

SummaryCreditsCVEUpstream AcknowledgementTests
ECDH Invalid Curve AttackDaniel BleichenbacherN/AEcdhTest: multiple tests
GCM IV reuseDaniel BleichenbacherN/AAesGcmTest: testIvReuse
GCM weak default tag lengthQuan NguyenN/AAesGcmTest: testDefaultTagSizeIvParameterSpec

Package BouncyCastle v1.55 and older

SummaryCreditsCVEUpstream AcknowledgementTests
v1.55 ECDH upstream fix was incompleteDaniel BleichenbacherN/AEcdh: multiple tests
ECDHC Invalid curve attackDaniel BleichenbacherN/AEcdhTest: testModifiedPublic,testModifiedPublicSpec, testWrongOrder
v1.55 PKCS #1 RSA is more vulnerable to CCA attackDaniel BleichenbacherN/ARsaTest: testExceptions
Dhies uses unsafe ECB modeDaniel BleichenbacherCVE-2016-1000344DhiesTest
ECIES use unsafe ECB mode by default for "ECIESWithAES" or "ECIESwithDESede"Daniel BleichenbacherCVE-2016-1000352EciesTest: testNotEcb, testDefaultEcies
1.52 ECIESWithAES-CBC is vulnerable to padding oracle attackDaniel BleichenbacherCVE-2016-1000345EciesTest: testExceptions
GCM reuses IV after doFinal()Daniel BleichenbacherN/A
ECDSA accepts invalid signaturesDaniel BleichenbacherCVE-2016-1000342EcdsaTest: testModifiedSignatures
DSA accepts invalid signaturesDaniel BleichenbacherCVE-2016-1000338DsaTest: testModifiedsignatures
DSA generates weak keyDaniel BleichenbacherCVE-2016-1000343DsaTest: testKeyGeneration
Allows invalid DH public keyDaniel BleichenbacherCVE-2016-1000346DhTest: incomplete
DSA timing attacksDaniel BleichenbacherCVE-2016-1000341DsaTest: testTiming
GCM Wrapped Around CounterQuan NguyenCVE-2015-6644Nexus Security Bullentin Jan 2016AesGcmTest: testWrappedAroundCounter

Package Go JOSE (https://github.com/square/go-jose)

SummaryCreditsCVEUpstream AcknowledgementTests
ECDH Invalid Curve AttackQuan NguyenCVE-2016-9121$5500 total by Square Inc. for all bugs
Multiple signatures, auth bypassQuan NguyenCVE-2016-9122
Integer overflow, HMAC bypassQuan NguyenCVE-2016-9123
Accepts embedded HMAC keyQuan NguyenN/A

Package Go crypto

SummaryCreditsCVEUpstream AcknowledgementTests
GCM wrapped around counterQuan NguyenN/Agoo.gl/OdhZcY
P-384 and P-521 ScalarMult DoSDaniel Bleichenbacher, Harris BaskaranCVE-2019-6486golang/go#29903ecdh_secp384r1_test.json, ecdh_secp521r1_test.json

Package Nimbus JOSE+JWT (https://connect2id.com/products/nimbus-jose-jwt)

SummaryCreditsCVEUpstream AcknowledgementTests
CBC-HMAC is vulnerable to padding oracle attackQuan NguyenN/Ahttps://goo.gl/ACZQeI
CBC-HMAC integer overflow, HMAC bypassQuan NguyenN/Ahttps://goo.gl/ACZQeI

Package OpenSSL

SummaryCreditsCVEUpstream AcknowledgementTests
X25519 incorrect carry handlingAlex Gaynor and Paul KehrerN/Ahttps://github.com/openssl/openssl/issues/6687
Ed25519 malleable signaturesPaul Kehrer and Alex GaynorN/Ahttps://github.com/openssl/openssl/issues/7693

Package LibreSSL

SummaryCreditsCVEUpstream AcknowledgementTests
Overly lax RSA PKCS1v1.5 parsingAlex Gaynor and Paul KehrerN/Alink

Package JavaScript Elliptic

SummaryCreditsCVEDetailsTests
ECDSA rejects valid signaturesMarkus SchiffermullerCVE-2024-48948Trail of Bits blogecdsa_secp*_sha256_test.json
EdDSA malleable signaturesMarkus SchiffermullerCVE-2024-48949Trail of Bits bloged25519_test.json
ECDSA malleable signaturesMarkus SchiffermullerCVE-2024-42459Trail of Bits blog, elliptic#317ecdsa_secp*_sha256_test.json
EdDSA malleable signaturesMarkus SchiffermullerCVE-2024-42460Trail of Bits blog, elliptic#317ed25519_test.json
ECDSA malleable signaturesMarkus SchiffermullerCVE-2024-42461Trail of Bits blog, elliptic#317ecdsa_secp*_sha256_test.json