CVE-2026-5588
Published: 15 April 2026
Description
Use of a Broken or Risky Cryptographic Algorithm vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcpkix on all (pkix modules), Legion of the Bouncy Castle Inc. BCPKIX-FIPS bcpkix on All (pkix modules), Legion of the Bouncy Castle Inc.…
more
BCPIX-LTS bcpkix on All (pkix modules). This vulnerability is associated with program files JcaContentVerifierProviderBuilder.Java, JcaContentVerfierProviderBuilder.Java. This issue affects BC-JAVA: from 1.67 before 1.84; BCPKIX-FIPS: from 2.0.6 before 2.0.11, from 2.1.7 before 2.1.11; BCPIX-LTS: from 2.73.7 before 2.73.11.
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Contacts with security groups provide timely information on broken or risky cryptographic algorithms, reducing the likelihood of their selection and use.
Ongoing education and sharing of recommended practices helps organizations identify and migrate away from broken or risky cryptographic algorithms.
Cross-organization threat feeds commonly include advances in cryptanalysis and active exploits against weak or broken algorithms, allowing organizations to deprecate them proactively.
Capital planning and funding allow selection and ongoing support of strong cryptographic algorithms rather than weak or broken ones.
Risk updates surface newly-broken or risky cryptographic algorithms as threat intelligence and computing advances evolve, enabling timely replacement.
Scanners flag use of broken or weak cryptographic algorithms via known-vulnerability databases.
Enforces approved cryptographic algorithms for each use case, blocking use of broken or risky algorithms.
Flaw remediation replaces broken or risky cryptographic algorithms once safer implementations are released by vendors.
Security SummaryAI
CVE-2026-5588, published on 2026-04-15, is a Use of a Broken or Risky Cryptographic Algorithm vulnerability (CWE-327) in Legion of the Bouncy Castle Inc. BC-JAVA bcpkix pkix modules across all platforms and Legion of the Bouncy Castle Inc. BCPKIX-FIPS bcpkix pkix modules. The issue is associated with the JcaContentVerifierProviderBuilder.java program file. It affects BC-JAVA versions from 1.67 up to but not including 1.84, as well as BCPKIX-FIPS versions from 2.0.6 before 2.0.11 and from 2.1.7 before 2.1.11.
Attackers can exploit this vulnerability in applications that use the affected Bouncy Castle pkix modules for cryptographic operations involving the JcaContentVerifierProviderBuilder, potentially compromising the integrity of content verification processes due to the broken or risky algorithm.
Advisories indicate mitigation through upgrading to non-affected versions: BC-JAVA 1.84 or later, BCPKIX-FIPS 2.0.11 or later, and 2.1.11 or later. Additional details are available in the Bouncy Castle GitHub commit at https://github.com/bcgit/bc-java/commit/656bae0dbd9b1521f840521ff786e78749fe3057 and the CVE wiki page at https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902026%E2%80%905588.
Details
- CWE(s)
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability is use of broken/risky cryptographic algorithm in content/signature verification (JcaContentVerifierProviderBuilder), directly enabling weakening of encryption or integrity protections.