CVE-2026-4599

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-4599

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-4599.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-4599

Aliases

GHSA-5jx8-q4cp-rhh6

Published

2026-03-23T06:16:21.513Z

Modified

2026-04-02T13:31:35.900032Z

Severity

9.3 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVSS Calculator

Summary

[none]

Details

Versions of the package jsrsasign from 7.0.0 and before 11.1.1 are vulnerable to Incomplete Comparison with Missing Factors via the getRandomBigIntegerZeroToMax and getRandomBigIntegerMinToMax functions in src/crypto-1.1.js; an attacker can recover the private key by exploiting the incorrect compareTo checks that accept out-of-range candidates and thus bias DSA nonces during signature generation.

References

Affected packages

Git / github.com/kjur/jsrsasign

Affected ranges

Type

GIT

Repo

https://github.com/kjur/jsrsasign

Events

Introduced

Fixed

e2b136e9eab7d571cb4a680ec10361ddc70fd573

Fixed

ee4b013478366cb16cea9a4bdfb218b6077f83b1

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "11.1.1"
        }
    ]
}

Affected versions

1.*

1.2.0

1.3.0

1.3.1

10.*

10.0.0

10.0.1

10.0.2

10.0.3

10.0.4

10.0.5

10.1.0

10.1.1

10.1.10

10.1.11

10.1.12

10.1.13

10.1.2

10.1.3

10.1.4

10.1.5

10.1.8

10.1.9

10.2.0

10.3.0

10.3.1

10.3.2

10.4.0

10.4.1

10.5.0

10.5.1

10.5.10

10.5.11

10.5.12

10.5.13

10.5.14

10.5.15

10.5.16

10.5.17

10.5.18

10.5.19

10.5.2

10.5.20

10.5.21

10.5.22

10.5.23

10.5.24

10.5.25

10.5.26

10.5.27

10.5.3

10.5.4

10.5.5

10.5.6

10.5.7

10.5.8

10.5.9

10.6.0

10.6.1

10.7.0

10.8.0

10.8.1

10.8.2

10.8.3

10.8.4

10.8.5

10.8.6

10.9.0

11.*

11.0.0

11.1.0

2.*

2.0.0

3.*

3.0.0

3.0.1

3.0.2

3.0.3

3.0.4

3.0.5

3.1.0

3.1.1

3.1.2

3.1.3

3.1.4

3.1.5

4.*

4.0.0

4.0.1

4.0.2

4.0.3

4.0.4

4.0.5

4.1.0

4.1.1

4.1.2

4.1.3

4.1.4

4.1.5

4.1.6

4.2.0

4.2.1

4.2.2

4.2.3

4.5.0

4.6.0

4.7.0

4.7.1

4.7.2

4.8.0

4.8.1

4.8.2

4.8.3

4.8.5

4.8.6

4.9.0

4.9.1

4.9.2

5.*

5.0.0

5.0.1

5.0.10

5.0.11

5.0.12

5.0.13

5.0.14

5.0.15

5.0.2

5.0.4

5.0.5

5.0.6

5.0.7

5.0.8

5.0.9

5.1.0

6.*

6.0.0

6.0.1

6.1.0

6.1.1

6.1.2

6.1.4

6.2.0

6.2.1

6.2.2

6.2.3

7.*

7.0.0

7.1.0

7.1.1

7.1.2

7.1.3

7.1.4

7.2.0

7.2.1

7.2.2

8.*

8.0.0

8.0.1

8.0.10

8.0.11

8.0.12

8.0.13

8.0.14

8.0.15

8.0.16

8.0.17

8.0.18

8.0.19

8.0.2

8.0.20

8.0.21

8.0.22

8.0.23

8.0.24

8.0.3

8.0.4

8.0.5

8.0.6

8.0.7

8.0.8

8.0.9

9.*

9.0.0

9.0.1

9.0.2

9.0.3

9.1.0

9.1.1

9.1.2

9.1.4

9.1.5

9.1.6

9.1.7

9.1.8

9.1.9

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-4599.json"