## Bouncy Castle BC-JAVA CVE-2026-5588: PKIX CompositeVerifier Validates Empty Signature Sequences
A critical cryptographic vulnerability in the Bouncy Castle BC-JAVA library allows empty signature sequences to pass verification checks under certain PKIX configurations. The flaw, tracked as CVE-2026-5588 and classified under CWE-327 (Use of Broken or Risky Cryptographic Algorithm), affects the bcpkix module across multiple package distributions including bcprov-jdk18on version 1.78.1. The vulnerability stems from the PKIX draft CompositeVerifier accepting empty signature sequences as valid, fundamentally undermining signature verification logic in affected applications.

The issue impacts BC-JAVA versions from 1.49 through any release prior to 1.84. The Bouncy Castle project, maintained by Legion of the Bouncy Castle Inc., has confirmed the vulnerability on its official GitHub wiki. The CompositeVerifier component, designed to handle composite signature validation in PKIX implementations, fails to enforce the presence of valid signature data before marking a signature chain as verified. This design flaw creates a bypass mechanism where malicious actors could potentially exploit systems relying on this verification behavior.

Applications and services that integrate the affected Bouncy Castle libraries for X.509 certificate path validation or PKI-based operations face potential integrity risks. Systems performing signature verification without additional validation layers could be vulnerable to spoofed or unsigned certificate chains being accepted as legitimate. Security teams are advised to audit dependencies for vulnerable bcprov-jdk18on, bcpkix, and related pkix module versions, and apply the patched release (1.84 or later) from official Maven repositories. The National Vulnerability Database has published technical details supporting coordinated disclosure and remediation efforts.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: CVE-2026-5588, cryptographic vulnerability, PKIX, BC-JAVA, signature verification
- **Credibility**: unverified
- **Published**: 2026-05-04 09:54:13
- **ID**: 79236
- **URL**: https://whisperx.ai/en/intel/79236