CVE-2025-8916 - bcpkix-fips version 1.0.8 available date

[gorsr01]

Hi Team

I saw in one of your CVE page that CBE 2025-8916 got addressed. in bcpkix-fips-1.0.8 version but am unable to find that version.Can you please/guide me to exact location where I can download that library.

[srivilliamsai]

Hi,

The version bcpkix-fips-1.0.8 has not yet been publicly released on Maven Central or the Bouncy Castle official downloads page. The CVE page references the internal fix milestone, not a published artifact.

Here’s what you can do:

The latest publicly available FIPS release is currently 1.0.7.1, available here:
🔗 https://downloads.bouncycastle.org/fips-java/

The 1.0.8 build is expected to be published once the corresponding BCFIPS 1.0.8 certification is finalized and approved by NIST/CMVP.

You can track official announcements on the Bouncy Castle mailing list or GitHub:
🔗 https://github.com/bcgit/bc-java

Until 1.0.8 is released, please continue using 1.0.7.1 and monitor the official release channels for updates.

Best regards,
Sri Villiam Sai

[gorsr01]

Hi Srivilliamsai

Thank you for your response. But I can see only [bcpg-fips-1.0.7.1.jar] in the download link .
Am unable to see the bcpkix-fips-1.0.7.1 version which I need.

Can you please guide me.

Thanks
Srikanth

[srivilliamsai]

The Automatic Way:

When you add this to your pom.xml file:

<dependency>
    <groupId>org.bouncycastle</groupId>
    <artifactId>bcpkix-fips</artifactId>
    <version>1.0.7.1</version>
</dependency>

Maven will automatically connect to the central repository online, find the bcpkix-fips-1.0.7.1.jar file, download it, and add it to your project's build path. You don't have to manually download anything. It's the most reliable method.

[gorsr01]

Hi Srivilliamsai

I tried using the same but I got the error message unable to find org.bouncycastle.bcpkix-fips:1.0.7.1 version.
Am using gradle.

Thanks
Srikanth