BC-JAVA bcpkix 1.491.83: Empty Signature Vulnerability in PKIX CompositeVerifier
CVE-2026-5588 Published on April 15, 2026
PKIX draft CompositeVerifier accepts empty signature sequence as valid.
Use of a Broken or Risky Cryptographic Algorithm vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcpkix on all (pkix modules), Legion of the Bouncy Castle Inc. BCPKIX-FIPS bcpkix on All (pkix modules), Legion of the Bouncy Castle Inc. BCPIX-LTS bcpkix on All (pkix modules).
This vulnerability is associated with program files JcaContentVerifierProviderBuilder.Java, JcaContentVerfierProviderBuilder.Java.
This issue affects BC-JAVA: from 1.67 before 1.80.2, from 1.81 before 1.81.1, from 1.82 before 1.84; BCPKIX-FIPS: from 2.0.6 before 2.0.11, from 2.1.7 before 2.1.11; BCPIX-LTS: from 2.73.7 before 2.73.11.
Weakness Type
Use of a Broken or Risky Cryptographic Algorithm
The use of a broken or risky cryptographic algorithm is an unnecessary risk that may result in the exposure of sensitive information. The use of a non-standard algorithm is dangerous because a determined attacker may be able to break the algorithm and compromise whatever data has been protected. Well-known techniques may exist to break the algorithm.
Products Associated with CVE-2026-5588
Want to know whenever a new CVE is published for Bouncycastle Bc Java? stack.watch will email you.
Affected Versions
Legion of the Bouncy Castle Inc. BC-JAVA:- Version 1.67 and below 1.80.2 is affected.
- Version 1.81 and below 1.81.1 is affected.
- Version 1.82 and below 1.84 is affected.
- Version 2.0.6 and below 2.0.11 is affected.
- Version 2.1.7 and below 2.1.11 is affected.
- Version 2.73.7 and below 2.73.11 is affected.