CVE-2026-5588
Awaiting Analysis Awaiting Analysis - Queue
Broken Cryptographic Algorithm in BC-JAVA PKIX Enables Signature Bypass

Publication date: 2026-04-15

Last updated on: 2026-05-19

Assigner: bcorg

Description
Use of a Broken or Risky Cryptographic Algorithm vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcpkix on all (pkix modules), Legion of the Bouncy Castle Inc. BCPKIX-FIPS bcpkix on All (pkix modules), Legion of the Bouncy Castle Inc. BCPIX-LTS bcpkix on All (pkix modules). This vulnerability is associated with program files JcaContentVerifierProviderBuilder.Java, JcaContentVerfierProviderBuilder.Java. This issue affects BC-JAVA: from 1.67 before 1.80.2, from 1.81 before 1.81.1, from 1.82 before 1.84; BCPKIX-FIPS: from 2.0.6 before 2.0.11, from 2.1.7 before 2.1.11; BCPIX-LTS: from 2.73.7 before 2.73.11.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-15
Last Modified
2026-05-19
Generated
2026-06-16
AI Q&A
2026-04-15
EPSS Evaluated
2026-06-15
NVD
CVE-2026-5588
EUVD
EUVD-2026-22871
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
legion_of_the_bouncy_castle_inc bc-java From 1.49 (inc) to 1.84 (exc)
legion_of_the_bouncy_castle_inc bc-java From 1.67 (inc) to 1.83 (inc)
legion_of_the_bouncy_castle_inc bc-java 1.84
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-327 The product uses a broken or risky cryptographic algorithm or protocol.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

Because the vulnerability allows an empty signature sequence to be accepted as valid, an attacker could exploit this to bypass signature verification.

This could lead to unauthorized code execution, data tampering, or acceptance of malicious data or software as legitimate, compromising the security and integrity of applications using the affected Bouncy Castle versions.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade the Bouncy Castle Java library (bc-java) to version 1.84 or later, where the issue with the PKIX draft CompositeVerifier accepting empty signature sequences as valid has been fixed.

Executive Summary

CVE-2026-5588 is a security vulnerability in the Bouncy Castle Java library (bc-java) affecting versions 1.67 through 1.83. The issue involves the PKIX draft CompositeVerifier component, which incorrectly accepts an empty signature sequence as valid during signature verification.

This flaw means that the system may treat an unsigned or empty signature as if it were valid, potentially allowing attackers to bypass signature validation checks.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5588. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart