Home

Description

Use of a Broken or Risky Cryptographic Algorithm vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcpkix on all (pkix modules), Legion of the Bouncy Castle Inc. BCPKIX-FIPS bcpkix on All (pkix modules), Legion of the Bouncy Castle Inc. BCPIX-LTS bcpkix on All (pkix modules). This vulnerability is associated with program files JcaContentVerifierProviderBuilder.Java, JcaContentVerfierProviderBuilder.Java. This issue affects BC-JAVA: from 1.67 before 1.80.2, from 1.81 before 1.81.1, from 1.82 before 1.84; BCPKIX-FIPS: from 2.0.6 before 2.0.11, from 2.1.7 before 2.1.11; BCPIX-LTS: from 2.73.7 before 2.73.11.

PUBLISHED Reserved 2026-04-04 | Published 2026-04-15 | Updated 2026-05-18 | Assigner bcorg




MEDIUM: 6.3CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/U:Amber

Problem types

CWE-327 Use of a Broken or Risky Cryptographic Algorithm

Product status

Default status
unaffected

1.67 (maven) before 1.80.2
affected

1.81 (maven) before 1.81.1
affected

1.82 (maven) before 1.84
affected

Default status
unaffected

2.0.6 (maven) before 2.0.11
affected

2.1.7 (maven) before 2.1.11
affected

Default status
unaffected

2.73.7 (maven) before 2.73.11
affected

Credits

Nicholas Carlini using Claude, Anthropic finder

References

github.com/bcgit/bc-java/wiki/CVE‐2026‐5588 vendor-advisory

github.com/...ommit/656bae0dbd9b1521f840521ff786e78749fe3057 patch

cve.org (CVE-2026-5588)

nvd.nist.gov (CVE-2026-5588)

Download JSON