CVE-2026-5588
Published: 15 April 2026
Summary
CVE-2026-5588 is a medium-severity Use of a Broken or Risky Cryptographic Algorithm (CWE-327) vulnerability. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Weaken Encryption (T1600); ranked at the 2.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-13 (Cryptographic Protection) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-5588, published on 2026-04-15, is a Use of a Broken or Risky Cryptographic Algorithm vulnerability (CWE-327) in Legion of the Bouncy Castle Inc. BC-JAVA bcpkix pkix modules across all platforms and Legion of the Bouncy Castle Inc. BCPKIX-FIPS bcpkix pkix modules. The issue is associated with the JcaContentVerifierProviderBuilder.java program file. It affects BC-JAVA versions from 1.67 up to but not including 1.84, as well as BCPKIX-FIPS versions from 2.0.6 before 2.0.11 and from 2.1.7 before 2.1.11.
Attackers can exploit this vulnerability in applications that use the affected Bouncy Castle pkix modules for cryptographic operations involving the JcaContentVerifierProviderBuilder, potentially compromising the integrity of content verification processes due to the broken or risky algorithm.
Advisories indicate mitigation through upgrading to non-affected versions: BC-JAVA 1.84 or later, BCPKIX-FIPS 2.0.11 or later, and 2.1.11 or later. Additional details are available in the Bouncy Castle GitHub commit at https://github.com/bcgit/bc-java/commit/656bae0dbd9b1521f840521ff786e78749fe3057 and the CVE wiki page at https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902026%E2%80%905588.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-22871
Vulnerability details
Use of a Broken or Risky Cryptographic Algorithm vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcpkix on all (pkix modules), Legion of the Bouncy Castle Inc. BCPKIX-FIPS bcpkix on All (pkix modules), Legion of the Bouncy Castle Inc.…
more
BCPIX-LTS bcpkix on All (pkix modules). This vulnerability is associated with program files JcaContentVerifierProviderBuilder.Java, JcaContentVerfierProviderBuilder.Java. This issue affects BC-JAVA: from 1.67 before 1.80.2, from 1.81 before 1.81.1, from 1.82 before 1.84; BCPKIX-FIPS: from 2.0.6 before 2.0.11, from 2.1.7 before 2.1.11; BCPIX-LTS: from 2.73.7 before 2.73.11.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability is use of broken/risky cryptographic algorithm in content/signature verification (JcaContentVerifierProviderBuilder), directly enabling weakening of encryption or integrity protections.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires approved cryptographic algorithms and implementations for integrity-protecting operations such as content verification performed by JcaContentVerifierProviderBuilder.
Mandates timely installation of security-relevant patches, directly addressing the requirement to upgrade BC-JAVA / BCPKIX-FIPS to the fixed releases that eliminate the broken algorithm.
Requires integrity verification mechanisms whose effectiveness is undermined by the risky algorithm in the affected Bouncy Castle pkix modules.