CVE-2026-4601

Critical CVSS: 9.4

Versions of the package jsrsasign before 11.1.1 are vulnerable to Missing Cryptographic Step via the KJUR.crypto.DSA.signWithMessageHash process in the DSA signing implementation. An attacker can recover the private key by forcing r or s to be zero, so the library emits an invalid signature without retrying, and then solves for x from the resulting signature.

Vendor

Jsrsasign Project

Product

Jsrsasign

CWE

CWE-325

Yayın Tarihi

2026-03-23 06:16:21

Güncelleme

2026-03-23 16:10:01

Source Identifier

report@snyk.io

KEV Date Added

Kategoriler

CWE-325 Jsrsasign CRITICAL Jsrsasign Project 2026

Referanslar

https://gist.github.com/Kr0emer/93789fe6efe5519db9692d4ad1dad586 https://github.com/kjur/jsrsasign/commit/0710e392ec35de697ce11e4219c988ba2b5fe0eb https://github.com/kjur/jsrsasign/pull/645 https://security.snyk.io/vuln/SNYK-JS-JSRSASIGN-15370941

Benzer Kayıtlar

High

CVE-2026-4602

Versions of the package jsrsasign before 11.1.1 are vulnerable to Incorrect Conversion between Numeric Types due to hand…

Medium

CVE-2026-4603

Versions of the package jsrsasign before 11.1.1 are vulnerable to Division by zero due to the RSASetPublic/KEYUTIL parsi…

High

CVE-2026-4598

Versions of the package jsrsasign before 11.1.1 are vulnerable to Infinite loop via the bnModInverse function in ext/jsb…

Critical

CVE-2026-4599

Versions of the package jsrsasign from 7.0.0 and before 11.1.1 are vulnerable to Incomplete Comparison with Missing Fact…

Critical

CVE-2026-4600

Versions of the package jsrsasign before 11.1.1 are vulnerable to Improper Verification of Cryptographic Signature via t…