CVE-2026-5588

EUVD-2026-22871
Use of a Broken or Risky Cryptographic Algorithm vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcpkix on all (pkix modules), Legion of the Bouncy Castle Inc. BCPKIX-FIPS bcpkix on All (pkix modules), Legion of the Bouncy Castle Inc. BCPIX-LTS bcpkix on All (pkix modules).

 This vulnerability is associated with program files JcaContentVerifierProviderBuilder.Java, JcaContentVerfierProviderBuilder.Java.



This issue affects BC-JAVA: from 1.67 before 1.80.2, from 1.81 before 1.81.1, from 1.82 before 1.84; BCPKIX-FIPS: from 2.0.6 before 2.0.11, from 2.1.7 before 2.1.11; BCPIX-LTS: from 2.73.7 before 2.73.11.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 31%
Debian logo
Debian Releases
Debian Product
Codename
bouncycastle
bookworm
vulnerable
bullseye
vulnerable
forky
vulnerable
sid
vulnerable
trixie
no-dsa
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
bouncycastle
bionic
needs-triage
focal
needs-triage
jammy
needs-triage
noble
needs-triage
questing
ignored
resolute
needs-triage
xenial
ignored
Amazon Linux logo
Amazon Linux Releases
Amazon Package
Release
bouncycastle
Amazon Linux 2023
0:1.70-4.amzn2023.0.7
fixed
bouncycastle-javadoc
Amazon Linux 2023
0:1.70-4.amzn2023.0.7
fixed
bouncycastle-mail
Amazon Linux 2023
0:1.70-4.amzn2023.0.7
fixed
bouncycastle-pg
Amazon Linux 2023
0:1.70-4.amzn2023.0.7
fixed
bouncycastle-pkix
Amazon Linux 2023
0:1.70-4.amzn2023.0.7
fixed
bouncycastle-tls
Amazon Linux 2023
0:1.70-4.amzn2023.0.7
fixed
bouncycastle-util
Amazon Linux 2023
0:1.70-4.amzn2023.0.7
fixed