Cyber Resilience

CVE-2026-5588

MediumUpdated

Published: 15 April 2026

Published
15 April 2026
Modified
19 May 2026
KEV Added
Patch
CVSS Score v4 6.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Amber
EPSS Score 0.0001 2.1th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-5588 is a medium-severity Use of a Broken or Risky Cryptographic Algorithm (CWE-327) vulnerability. Its CVSS base score is 6.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Weaken Encryption (T1600); ranked at the 2.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-13 (Cryptographic Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-5588, published on 2026-04-15, is a Use of a Broken or Risky Cryptographic Algorithm vulnerability (CWE-327) in Legion of the Bouncy Castle Inc. BC-JAVA bcpkix pkix modules across all platforms and Legion of the Bouncy Castle Inc. BCPKIX-FIPS bcpkix pkix modules. The issue is associated with the JcaContentVerifierProviderBuilder.java program file. It affects BC-JAVA versions from 1.67 up to but not including 1.84, as well as BCPKIX-FIPS versions from 2.0.6 before 2.0.11 and from 2.1.7 before 2.1.11.

Attackers can exploit this vulnerability in applications that use the affected Bouncy Castle pkix modules for cryptographic operations involving the JcaContentVerifierProviderBuilder, potentially compromising the integrity of content verification processes due to the broken or risky algorithm.

Advisories indicate mitigation through upgrading to non-affected versions: BC-JAVA 1.84 or later, BCPKIX-FIPS 2.0.11 or later, and 2.1.11 or later. Additional details are available in the Bouncy Castle GitHub commit at https://github.com/bcgit/bc-java/commit/656bae0dbd9b1521f840521ff786e78749fe3057 and the CVE wiki page at https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902026%E2%80%905588.

EU & UK References

Vulnerability details

Use of a Broken or Risky Cryptographic Algorithm vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcpkix on all (pkix modules), Legion of the Bouncy Castle Inc. BCPKIX-FIPS bcpkix on All (pkix modules), Legion of the Bouncy Castle Inc.…

more

BCPIX-LTS bcpkix on All (pkix modules). This vulnerability is associated with program files JcaContentVerifierProviderBuilder.Java, JcaContentVerfierProviderBuilder.Java. This issue affects BC-JAVA: from 1.67 before 1.80.2, from 1.81 before 1.81.1, from 1.82 before 1.84; BCPKIX-FIPS: from 2.0.6 before 2.0.11, from 2.1.7 before 2.1.11; BCPIX-LTS: from 2.73.7 before 2.73.11.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1600 Weaken Encryption Defense Impairment
Adversaries may compromise a network device’s encryption capability in order to bypass encryption that would otherwise protect data communications.
Why these techniques?

Vulnerability is use of broken/risky cryptographic algorithm in content/signature verification (JcaContentVerifierProviderBuilder), directly enabling weakening of encryption or integrity protections.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-1626Shared CWE-327
CVE-2025-9146Shared CWE-327
CVE-2026-34950Shared CWE-327
CVE-2024-22347Shared CWE-327
CVE-2025-69929Shared CWE-327
CVE-2026-6411Shared CWE-327
CVE-2025-13476Shared CWE-327
CVE-2025-68702Shared CWE-327
CVE-2025-66597Shared CWE-327
CVE-2026-28252Shared CWE-327

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires approved cryptographic algorithms and implementations for integrity-protecting operations such as content verification performed by JcaContentVerifierProviderBuilder.

prevent

Mandates timely installation of security-relevant patches, directly addressing the requirement to upgrade BC-JAVA / BCPKIX-FIPS to the fixed releases that eliminate the broken algorithm.

preventdetect

Requires integrity verification mechanisms whose effectiveness is undermined by the risky algorithm in the affected Bouncy Castle pkix modules.

References