CVE-2026-5588: Bouncy Castle bcpkix Flaw Accepts Empty Signature Sequences as Valid

A cryptographic vulnerability has been identified in the Bouncy Castle Java library's bcpkix module, enabling the PKIX draft CompositeVerifier to accept empty signature sequences as valid. The flaw, tracked as CVE-2026-5588, affects all versions from 1.49 to 1.84 and carries a CVSS severity score of 6.3 (moderate).

The vulnerability centers on improper validation logic within the CompositeVerifier component responsible for processing PKIX certificate chain validation. Specifically, the verifier fails to reject empty signature sequences, potentially allowing attackers to forge or manipulate certificate validation workflows. The Bouncy Castle bcpkix module is a widely deployed cryptographic library for Java applications handling X.509 certificate processing and PKI operations.

The Quarkus framework has already addressed the issue by merging a version update in its main branch, demonstrating proactive remediation by at least one major downstream project. Organizations utilizing Bouncy Castle's bcpkix module in versions prior to 1.84 should evaluate their exposure and apply available patches. The flaw raises particular concerns for applications relying on certificate chain validation as a security control, as the acceptance of empty signatures could undermine authentication mechanisms.