Vulnerability Description
Versions of the package jsrsasign from 7.0.0 and before 11.1.1 are vulnerable to Incomplete Comparison with Missing Factors via the getRandomBigIntegerZeroToMax and getRandomBigIntegerMinToMax functions in src/crypto-1.1.js; an attacker can recover the private key by exploiting the incorrect compareTo checks that accept out-of-range candidates and thus bias DSA nonces during signature generation.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Jsrsasign Project | Jsrsasign | >= 7.0.0, < 11.1.1 |
Related Weaknesses (CWE)
References
- https://gist.github.com/Kr0emer/081681818b51605c91945126d74b4f20ExploitMitigationThird Party Advisory
- https://github.com/kjur/jsrsasign/commit/ee4b013478366cb16cea9a4bdfb218b6077f83bPatch
- https://github.com/kjur/jsrsasign/pull/647Issue Tracking
- https://security.snyk.io/vuln/SNYK-JS-JSRSASIGN-15370939Third Party Advisory
FAQ
What is CVE-2026-4599?
CVE-2026-4599 is a vulnerability with a CVSS score of 9.1 (CRITICAL). Versions of the package jsrsasign from 7.0.0 and before 11.1.1 are vulnerable to Incomplete Comparison with Missing Factors via the getRandomBigIntegerZeroToMax and getRandomBigIntegerMinToMax functio...
How severe is CVE-2026-4599?
CVE-2026-4599 has been rated CRITICAL with a CVSS base score of 9.1/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2026-4599?
Check the references section above for vendor advisories and patch information. Affected products include: Jsrsasign Project Jsrsasign.