Vulnerability in BC-JAVA Product by Legion of the Bouncy Castle Inc.
CVE-2026-5588

6.3MEDIUM

Key Information:

Vendor: Legion Of The Bouncy Castle Inc.
Status: Bc-java
Vendor: CVE Published:; 15 April 2026

🔔 Create Legion Of The Bouncy Castle Inc. Vulnerability Alert

What is CVE-2026-5588?

A vulnerability exists in the BC-JAVA library where the PKIX draft CompositeVerifier incorrectly accepts an empty signature sequence as valid. This flaw arises from the use of inadequate cryptographic algorithms within the library's PKIX modules. The issue affects all versions from 1.49 up to, but not including, 1.84. This vulnerability poses a potential risk as it may allow an attacker to bypass signature verification under specific circumstances, potentially compromising the integrity of cryptographic operations.

Affected Version(s)

BC-JAVA all 1.67 < 1.84

References

https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902026%E2...

CVSS V4

Score:

6.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 15, 2026
Vulnerability Reserved
Apr 4, 2026

CVE-2026-5588 Data

JSON