Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
Bouncy Castle Java Cryptography Library Uses Weak Signature Verification
DEBIAN-CVE-2026-5588
Summary
A widely used Java library for cryptography has a weakness in its verification process. This could allow an attacker to create fake digital signatures that are accepted as valid. Update to the latest version of the library to ensure signature verification is secure.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| Debian:11 | debian | bouncycastle | All versions |
| Debian:12 | debian | bouncycastle | All versions |
| Debian:13 | debian | bouncycastle | All versions |
| Debian:14 | debian | bouncycastle | All versions |
Original title
: Use of a Broken or Risky Cryptographic Algorithm vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcpkix on all (pkix modules). PKIX draft CompositeVerifier accepts empty signature seq...
Original description
: Use of a Broken or Risky Cryptographic Algorithm vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcpkix on all (pkix modules). PKIX draft CompositeVerifier accepts empty signature sequence as valid. This issue affects BC-JAVA: from 1.49 before 1.84.
- https://security-tracker.debian.org/tracker/CVE-2026-5588 Vendor Advisory
Published: 16 Apr 2026 · Updated: 16 Apr 2026 · First seen: 16 Apr 2026