CVE-2026-4598 | jsrsasign up to 11.1.0 ext/jsbn2.js bnModInverse infinite loop (SNYK-JS-JSRSASIGN-15370938)

VDB-352486 · CVE-2026-4598 · GCVE-0-2026-4598 JSRSASIGN UP TO 11.1.0 EXT/JSBN2.JS BNMODINVERSE INFINITE LOOP HISTORYDIFFRELATEJSONXMLCTI CVSS Meta Temp Score Current Exploit Price (≈) CTI Interest Score 6.3 $0-$5k 2.50+ Summaryinfo A vulnerability categorized as problematic has been discovered in jsrsasign up to 11.1.0. This affects the function bnModInverse of the file ext/jsbn2.js. Executing a manipulation can lead to infinite loop. This vulnerability is handled as CVE-2026-4598. The attack can be executed remotely. There is not any exploit available. It is advisable to upgrade the affected component. Detailsinfo A vulnerability classified as problematic was found in jsrsasign up to 11.1.0. This vulnerability affects the function bnModInverse of the file ext/jsbn2.js. The manipulation with an unknown input leads to a infinite loop vulnerability. The CWE definition for the vulnerability is CWE-835. The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop. As an impact it is known to affect availability. CVE summarizes: Versions of the package jsrsasign before 11.1.1 are vulnerable to Infinite loop via the bnModInverse function in ext/jsbn2.js when the BigInteger.modInverse implementation receives zero or negative inputs, allowing an attacker to hang the process permanently by supplying such crafted values (e.g., modInverse(0, m) or modInverse(-1, m)). The advisory is available at security.snyk.io. This vulnerability was named CVE-2026-4598 since 03/22/2026. The exploitation appears to be easy. The attack can be initiated remotely. No form of authentication is required for a successful exploitation. Technical details are known, but there is no available exploit. This vulnerability is assigned to T1499 by the MITRE ATT&CK project. It is declared as proof-of-concept. Upgrading to version 11.1.1 eliminates this vulnerability. Productinfo Name jsrsasign Version 11.0 11.1.0 CPE 2.3info 🔒 🔒 CPE 2.2info 🔒 🔒 CVSSv4info VulDB Vector: 🔒 VulDB Reliability: 🔍 CNA CVSS-B Score: 🔒 CNA CVSS-BT Score: 🔒 CNA Vector: 🔒 CVSSv3info VulDB Meta Base Score: 6.4 VulDB Meta Temp Score: 6.3 VulDB Base Score: 5.3 VulDB Temp Score: 5.1 VulDB Vector: 🔒 VulDB Reliability: 🔍 CNA Base Score: 7.5 CNA Vector (snyk): 🔒 CVSSv2info Vector Complexity Authentication Confidentiality Integrity Availability Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock VulDB Base Score: 🔒 VulDB Temp Score: 🔒 VulDB Reliability: 🔍 Exploitinginfo Class: Infinite loop CWE: CWE-835 / CWE-404 CAPEC: 🔒 ATT&CK: 🔒 Physical: No Local: No Remote: Yes Availability: 🔒 Status: Proof-of-Concept Price Prediction: 🔍 Current Price Estimation: 🔒 0-Day Unlock Unlock Unlock Unlock Today Unlock Unlock Unlock Unlock Threat Intelligenceinfo Interest: 🔍 Active Actors: 🔍 Active APT Groups: 🔍 Countermeasuresinfo Recommended: Upgrade Status: 🔍 0-Day Time: 🔒 Upgrade: jsrsasign 11.1.1 Timelineinfo 03/22/2026 CVE reserved 03/23/2026 +1 days Advisory disclosed 03/23/2026 +0 days VulDB entry created 03/23/2026 +0 days VulDB entry last update Sourcesinfo Advisory: SNYK-JS-JSRSASIGN-15370938 Status: Confirmed CVE: CVE-2026-4598 (🔒) GCVE (CVE): GCVE-0-2026-4598 GCVE (VulDB): GCVE-100-352486 Entryinfo Created: 03/23/2026 07:14 Changes: 03/23/2026 07:14 (78) Complete: 🔍 Cache ID: 99:5DD:101 Discussion No comments yet. Languages: en. Please log in to comment. ◂ PreviousOverviewNext ▸