CVE-2026-5588: CWE-327 Use of a Broken or Risky Cryptographic Algorithm in Legion of the Bouncy Castle Inc. BC-JAVA
Use of a Broken or Risky Cryptographic Algorithm vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcpkix on all (pkix modules), Legion of the Bouncy Castle Inc. BCPKIX-FIPS bcpkix on All (pkix modules), Legion of the Bouncy Castle Inc. BCPIX-LTS bcpkix on All (pkix modules). This vulnerability is associated with program files JcaContentVerifierProviderBuilder.Java, JcaContentVerfierProviderBuilder.Java. This issue affects BC-JAVA: from 1.67 before 1.80.2, from 1.81 before 1.81.1, from 1.82 before 1.84; BCPKIX-FIPS: from 2.0.6 before 2.0.11, from 2.1.7 before 2.1.11; BCPIX-LTS: from 2.73.7 before 2.73.11.
AI Analysis
Technical Summary
This vulnerability concerns the use of broken or risky cryptographic algorithms within the pkix modules of Legion of the Bouncy Castle Inc.'s BC-JAVA libraries, specifically in the JcaContentVerifierProviderBuilder.Java and JcaContentVerfierProviderBuilder.Java files. Affected versions include BC-JAVA from 1.67 before 1.80.2, from 1.81 before 1.81.1, and from 1.82 before 1.84; BCPKIX-FIPS from 2.0.6 before 2.0.11 and from 2.1.7 before 2.1.11; and BCPIX-LTS from 2.73.7 before 2.73.11. The CVSS 4.0 base score is 6.3, indicating a medium severity level. The vulnerability is categorized under CWE-327 (Use of a Broken or Risky Cryptographic Algorithm). No known exploits in the wild have been reported, and no official remediation level or patch links are provided.
Potential Impact
The vulnerability could potentially weaken cryptographic protections relying on the affected pkix modules, possibly undermining data integrity or authenticity assurances. However, no known exploits in the wild have been reported, and the impact is rated medium severity based on the CVSS score. The absence of a confirmed remediation level suggests that the risk remains until a fix is applied.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official patch or remediation level is provided, users should monitor updates from Legion of the Bouncy Castle Inc. and plan to upgrade to fixed versions once available. Avoid using affected versions in new deployments where possible.
CVE-2026-5588: CWE-327 Use of a Broken or Risky Cryptographic Algorithm in Legion of the Bouncy Castle Inc. BC-JAVA
Description
Use of a Broken or Risky Cryptographic Algorithm vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcpkix on all (pkix modules), Legion of the Bouncy Castle Inc. BCPKIX-FIPS bcpkix on All (pkix modules), Legion of the Bouncy Castle Inc. BCPIX-LTS bcpkix on All (pkix modules). This vulnerability is associated with program files JcaContentVerifierProviderBuilder.Java, JcaContentVerfierProviderBuilder.Java. This issue affects BC-JAVA: from 1.67 before 1.80.2, from 1.81 before 1.81.1, from 1.82 before 1.84; BCPKIX-FIPS: from 2.0.6 before 2.0.11, from 2.1.7 before 2.1.11; BCPIX-LTS: from 2.73.7 before 2.73.11.
CVSS v4.0
Score 6.3medium
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability concerns the use of broken or risky cryptographic algorithms within the pkix modules of Legion of the Bouncy Castle Inc.'s BC-JAVA libraries, specifically in the JcaContentVerifierProviderBuilder.Java and JcaContentVerfierProviderBuilder.Java files. Affected versions include BC-JAVA from 1.67 before 1.80.2, from 1.81 before 1.81.1, and from 1.82 before 1.84; BCPKIX-FIPS from 2.0.6 before 2.0.11 and from 2.1.7 before 2.1.11; and BCPIX-LTS from 2.73.7 before 2.73.11. The CVSS 4.0 base score is 6.3, indicating a medium severity level. The vulnerability is categorized under CWE-327 (Use of a Broken or Risky Cryptographic Algorithm). No known exploits in the wild have been reported, and no official remediation level or patch links are provided.
Potential Impact
The vulnerability could potentially weaken cryptographic protections relying on the affected pkix modules, possibly undermining data integrity or authenticity assurances. However, no known exploits in the wild have been reported, and the impact is rated medium severity based on the CVSS score. The absence of a confirmed remediation level suggests that the risk remains until a fix is applied.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official patch or remediation level is provided, users should monitor updates from Legion of the Bouncy Castle Inc. and plan to upgrade to fixed versions once available. Avoid using affected versions in new deployments where possible.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- bcorg
- Date Reserved
- 2026-04-04T23:50:59.336Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69df5b0f82d89c981fca1f4c
Added to database: 4/15/2026, 9:31:59 AM
Last enriched: 5/19/2026, 8:58:37 AM
Last updated: 5/31/2026, 12:39:34 AM
Views: 93
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.