{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5588", "assignerOrgId": "91579145-5d7b-4cc5-b925-a0262ff19630", "state": "PUBLISHED", "assignerShortName": "bcorg", "dateReserved": "2026-04-04T23:50:59.336Z", "datePublished": "2026-04-15T09:06:15.617Z", "dateUpdated": "2026-04-15T15:59:05.007Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "91579145-5d7b-4cc5-b925-a0262ff19630", "shortName": "bcorg", "dateUpdated": "2026-04-15T15:59:05.007Z"}, "title": "PKIX draft CompositeVerifier accepts empty signature sequence as valid.", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-327", "description": "CWE-327: Use of a Broken or Risky Cryptographic Algorithm", "type": "CWE"}]}], "affected": [{"vendor": "Legion of the Bouncy Castle Inc.", "product": "BC-JAVA", "platforms": ["all"], "collectionURL": "https://www.bouncycastle.org/download/bouncy-castle-java/", "packageName": "bcpkix", "repo": "https://github.com/bcgit/bc-java", "modules": ["pkix"], "versions": [{"status": "affected", "version": "1.67", "lessThan": "1.84", "versionType": "maven"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": ": Use of a Broken or Risky Cryptographic Algorithm vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcpkix on all (pkix modules).\n\n\nPKIX draft CompositeVerifier accepts empty signature sequence as valid.\n\n\nThis issue affects BC-JAVA: from 1.49 before 1.84.", "supportingMedia": [{"type": "text/html", "base64": false, "value": ": Use of a Broken or Risky Cryptographic Algorithm vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcpkix on all (pkix modules).<div><br></div><div>PKIX draft CompositeVerifier accepts empty signature sequence as valid.</div><div><br><p>This issue affects BC-JAVA: from 1.49 before 1.84.</p></div>"}]}], "references": [{"url": "https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902026%E2%80%905588"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "GREEN", "version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 6.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/U:Green"}}], "credits": [{"lang": "en", "value": "Nicholas Carlini using Claude, Anthropic", "type": "finder"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-15T13:11:19.255996Z", "id": "CVE-2026-5588", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T13:11:24.398Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-5588", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-15T13:11:19.255996Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T13:11:21.652Z"}}], "cna": {"title": "PKIX draft CompositeVerifier accepts empty signature sequence as valid.", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 10, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/bcgit/bc-java", "vendor": "Legion of the Bouncy Castle Inc.", "modules": ["pkix"], "product": "BC-JAVA", "versions": [{"status": "affected", "version": "1.49", "lessThan": "1.84", "versionType": "maven"}], "platforms": ["all"], "packageName": "bcpkix", "collectionURL": "https://www.bouncycastle.org/download/bouncy-castle-java/", "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902026%E2%80%905588"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": ": Use of a Broken or Risky Cryptographic Algorithm vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcpkix on all (pkix modules).\n\n\nPKIX draft CompositeVerifier accepts empty signature sequence as valid.\n\n\nThis issue affects BC-JAVA: from 1.49 before 1.84.", "supportingMedia": [{"type": "text/html", "value": ": Use of a Broken or Risky Cryptographic Algorithm vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcpkix on all (pkix modules).<div><br></div><div>PKIX draft CompositeVerifier accepts empty signature sequence as valid.</div><div><br><p>This issue affects BC-JAVA: from 1.49 before 1.84.</p></div>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-327", "description": "CWE-327: Use of a Broken or Risky Cryptographic Algorithm"}]}], "providerMetadata": {"orgId": "91579145-5d7b-4cc5-b925-a0262ff19630", "shortName": "bcorg", "dateUpdated": "2026-04-15T09:06:15.617Z"}}}, "cveMetadata": {"cveId": "CVE-2026-5588", "state": "PUBLISHED", "dateUpdated": "2026-04-15T13:11:24.398Z", "dateReserved": "2026-04-04T23:50:59.336Z", "assignerOrgId": "91579145-5d7b-4cc5-b925-a0262ff19630", "datePublished": "2026-04-15T09:06:15.617Z", "assignerShortName": "bcorg"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": ": Use of a Broken or Risky Cryptographic Algorithm vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcpkix on all (pkix modules).\n\n\nPKIX draft CompositeVerifier accepts empty signature sequence as valid.\n\n\nThis issue affects BC-JAVA: from 1.49 before 1.84."}], "id": "CVE-2026-5588", "lastModified": "2026-04-15T10:16:49.597", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "91579145-5d7b-4cc5-b925-a0262ff19630", "type": "Secondary"}]}, "published": "2026-04-15T10:16:49.597", "references": [{"source": "91579145-5d7b-4cc5-b925-a0262ff19630", "url": "https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902026%E2%80%905588"}], "sourceIdentifier": "91579145-5d7b-4cc5-b925-a0262ff19630", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-327"}], "source": "91579145-5d7b-4cc5-b925-a0262ff19630", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": ["all"], "status": "affected", "versions": {"scheme": "generic", "value": "[1.49,1.84)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "BC-JAVA", "source": "cna", "vendor": "Legion of the Bouncy Castle Inc."}, "product": "bc-java", "vendor": "bouncycastle"}], "analysis": {"en": {"generated_at": "2026-04-15T11:27:57.754082+00:00", "value": {"mitigation_remediation": ["Update the Bouncy Castle BC-JAVA library to version 1.84 or later.", "For applications that cannot upgrade immediately, modify the certificate validation logic to reject certificates with an empty signature sequence.", "Consider using an alternative cryptographic library or enabling stricter PKIX validation if available within your environment."], "summary": {"action": "Patch Now", "impact": "Unauthorized Certificate Acceptance"}, "threat_synthesis": {"affected_systems": "The issue impacts Bouncy Castle Inc.\u2019s BC-JAVA library from version 1.49 up to and including 1.83. All Java applications that depend on the bc\u2011pkix module in these releases are vulnerable until an upgraded version is installed.", "description_and_impact": "An error in the Bouncy Castle BC-JAVA PKIX CompositeVerifier allows it to consider an empty signature sequence valid. This flaw is classified as CWE\u2011327, a broken or risky cryptographic algorithm. It is inferred that an attacker can construct a certificate chain with an empty signature sequence that the vulnerable verifier will accept, effectively allowing the forging of trusted certificates.", "risk_and_exploitability": "The vulnerability has a CVSS score of 10, the highest severity level. The exploitation probability metric is unavailable and the vulnerability is not recorded in CISA's Known Exploited Vulnerabilities catalog. The attack vector is likely through the construction of a forged certificate chain, so any application that performs PKIX verification using the affected library could be compromised. Without an available exploit track, the risk remains high because the flaw enables the attacker to bypass certificate validation entirely, granting them authority equivalent to a trusted party."}}}}, "created": "2026-04-15T13:49:14.858593+00:00", "updated": "2026-04-15T14:53:09.125897+00:00", "vendors": ["bouncycastle", "bouncycastle$PRODUCT$bc-java"]}