CVE-2026-5588
Cryptographic Issue vulnerability in bcpkix-jdk18on (Maven)
What is CVE-2026-5588 About?
This vulnerability involves the "Use of a Broken or Risky Cryptographic Algorithm" in Legion of the Bouncy Castle Inc. BC-JAVA bcpkix module. The PKIX draft CompositeVerifier mistakenly accepts an empty signature sequence as valid, weakening cryptographic integrity. This can lead to the acceptance of maliciously crafted or unauthenticated data, which could be exploited with moderate ease by an attacker to bypass security mechanisms where this validation is critical.
Affected Software
- org.bouncycastle:bcpkix-jdk18on
- >=1.49, <1.84
- org.bouncycastle:bcpkix-jdk15to18
- >=1.49, <1.84
- org.bouncycastle:bcpkix-jdk15on
- >=1.49, <1.84
- org.bouncycastle:bcpkix-jdk14
- >=1.49, <1.84
- org.bouncycastle:bcpkix-debug-jdk18on
- >=1.49, <1.84
- org.bouncycastle:bcpkix-debug-jdk15to18
- >=1.49, <1.84
- org.bouncycastle:bcpkix-debug-jdk14
- >=1.49, <1.84
Technical Details
The vulnerability resides in the PKIX draft CompositeVerifier component of the BC-JAVA bcpkix library. Specifically, the implementation incorrectly processes and accepts an empty signature sequence as a valid cryptographic signature. This flaw means that security mechanisms relying on this verifier to enforce signature validation could be bypassed. An attacker can craft a PKIX structure with an intentionally empty signature, and the vulnerable verifier will erroneously deem it valid, thereby circumventing cryptographic integrity checks designed to ensure authenticity and non-repudiation of the data.
What is the Impact of CVE-2026-5588?
Successful exploitation may allow attackers to bypass signature validation checks, leading to the acceptance of untrustworthy data or weakening cryptographic integrity in systems relying on the affected library.
What is the Exploitability of CVE-2026-5588?
Exploitation of this vulnerability would require an attacker to craft specific input data (e.g., a certificate or signed message) that intentionally includes an empty signature sequence. The complexity of crafting such an input would be moderate, requiring knowledge of PKIX structures. There are no authentication requirements for the attacker to prepare the malicious data, but they must be able to present this data to a system using the vulnerable BC-JAVA library. No specific privileges are needed on the target system itself. Access is typically remote, as the crafted data is transmitted to the vulnerable service. The primary condition is that the system must be using the affected versions of the BC-JAVA bcpkix module. The risk factor increases in environments where the integrity of signed data is critical and processed by vulnerable versions of the library.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2026-5588?
Available Upgrade Options
- org.bouncycastle:bcpkix-jdk15to18
- >=1.49, <1.84 → Upgrade to 1.84
- org.bouncycastle:bcpkix-jdk15on
- >=1.49, <1.84 → Upgrade to 1.84
- org.bouncycastle:bcpkix-jdk14
- >=1.49, <1.84 → Upgrade to 1.84
- org.bouncycastle:bcpkix-debug-jdk15to18
- >=1.49, <1.84 → Upgrade to 1.84
- org.bouncycastle:bcpkix-debug-jdk14
- >=1.49, <1.84 → Upgrade to 1.84
- org.bouncycastle:bcpkix-debug-jdk18on
- >=1.49, <1.84 → Upgrade to 1.84
- org.bouncycastle:bcpkix-jdk18on
- >=1.49, <1.84 → Upgrade to 1.84
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/bcgit/bc-java
- https://nvd.nist.gov/vuln/detail/CVE-2026-5588
- https://osv.dev/vulnerability/GHSA-wg6q-6289-32hp
- https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902026%E2%80%905588
- https://github.com/bcgit/bc-java/commit/656bae0dbd9b1521f840521ff786e78749fe3057
- https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902026%E2%80%905588
What are Similar Vulnerabilities to CVE-2026-5588?
Similar Vulnerabilities: CVE-2022-21449 , CVE-2020-25648 , CVE-2018-1000613 , CVE-2019-15847 , CVE-2021-42392
