CVE-2026-5588 Legion of the Bouncy Castle Inc. CVE debrief

Who should care

Organizations using Bouncy Castle libraries for certificate processing, PKI infrastructure, or cryptographic operations in Java applications should prioritize patching. This particularly affects enterprises running certificate authority software, TLS implementations, or document signing systems built on Bouncy Castle components.

Technical summary

The vulnerability exists in Bouncy Castle's PKIX module implementations where broken or risky cryptographic algorithms may be used during certificate signature verification. Affected classes include JcaContentVerifierProviderBuilder and JcaContentVerfierProviderBuilder. The flaw could potentially allow signature forgery or verification bypass in certificate chain validation. Multiple product lines are affected: BC-JAVA (versions 1.67-1.80.1, 1.81, 1.82-1.83), BCPKIX-FIPS (versions 2.0.6-2.0.10, 2.1.7-2.1.10), and BCPIX-LTS (versions 2.73.7-2.73.10). The vendor has released patched versions and published detailed remediation guidance.

Defensive priority

medium

Recommended defensive actions

• Upgrade BC-JAVA to version 1.80.2, 1.81.1, or 1.84 or later depending on your current branch
• Upgrade BCPKIX-FIPS to version 2.0.11 or 2.1.11 or later depending on your current branch
• Upgrade BCPIX-LTS to version 2.73.11 or later
• Review applications using Bouncy Castle for certificate verification operations
• Audit certificate validation logic in affected JcaContentVerifierProviderBuilder implementations
• Monitor vendor security advisories for additional guidance

Evidence notes

The vulnerability was published on 2026-04-15 and last modified on 2026-05-19. The NVD entry shows status 'Awaiting Analysis' with CVSS 4.0 vector indicating network attack vector, low attack complexity, and partial attack timing requirements. The vendor has published a dedicated CVE wiki page and committed a fix.

Official resources