CVE-2026-4603

LOW EPSS 1.0%
Published Mar 23, 20263mo ago · Modified Jun 22, 20261w ago
2.0 CVSS 4.0
Low
Find Similar
Published Mar 23, 2026 3mo ago
Last Modified Jun 22, 2026 1w ago

Description

Versions of the package jsrsasign before 11.1.1 are vulnerable to Division by zero due to the RSASetPublic/KEYUTIL parsing path in ext/rsa.js and the BigInteger.modPowInt reduction logic in ext/jsbn.js. An attacker can force RSA public-key operations (e.g., verify and encryption) to collapse to deterministic zero outputs and hide “invalid key” errors by supplying a JWK whose modulus decodes to zero.

CVSS Details

Base Score
2.0
Exploitability
Impact
Vector string
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Local
Attack Complexity Low
Privileges Required None
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
1.0% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-369

Affected Products 1

VendorProductVersionRange
kjurjsrsasign* <11.1.1

References 4

  • gist.github.com https://gist.github.com/Kr0emer/5366b7364c4fbf7e754bc377f321e9f3
    ExploitMitigationThird Party Advisory
  • github.com https://github.com/kjur/jsrsasign/commit/dc41d49fac4297e7a737a3ef8ebd0aa9c49ef93f
    Patch
  • github.com https://github.com/kjur/jsrsasign/pull/649
    Issue Tracking
  • security.snyk.io https://security.snyk.io/vuln/SNYK-JS-JSRSASIGN-15371176
    Third Party Advisory

Remediation

  • github.com https://github.com/kjur/jsrsasign/commit/dc41d49fac4297e7a737a3ef8ebd0aa9c49ef93f
    Patch