CVE-2026-4599 - Vulnerability Analysis
CriticalCVSS: 9.1Last Updated: March 23, 2026
jsrsasign - Authentication Bypass
Overview
jsrsasign <= 11.1.1 contains an incomplete comparison vulnerability caused by incorrect compareTo checks in getRandomBigIntegerZeroToMax and getRandomBigIntegerMinToMax functions, letting attackers recover private keys by biasing DSA nonces during signature generation, exploit requires crafted signature requests.
Severity & Score
Impact
Attackers can recover private keys by exploiting biased DSA nonces, compromising cryptographic security.
Mitigation
Update to a version later than 11.1.1 or the latest available version.
References
Social Media Activity(2 posts)
š„ CRITICAL: CVE-2026-4599 in jsrsasign 7.0.0 ā 11.1.1 lets attackers recover private keys via DSA nonce bias. No auth needed ā patch ASAP or add nonce checks! https://radar.offseq.com/threat/cve-2026-4599-incomplete-comparison-with-missing-f-9aee8aa7 #OffSeq #Vulnerability #Cryptography #CVE20264599
View original post
š“ CVE-2026-4599 - Critical (9.1) Versions of the package jsrsasign from 7.0.0 and before 11.1.1 are vulnerable to Incomplete Comparison with Missing Factors via the getRandomBigIntegerZeroToMax and getRandomBigIntegerMinToMax functions in src/crypto-1.1.js; an attacker can recove... š https://www.thehackerwire.com/vulnerability/CVE-2026-4599/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original postRelated Resources
Details
- CVE ID
- CVE-2026-4599
- Severity
- Critical
- CVSS Score
- 9.1
- Type
- broken_authentication
- Status
- confirmed
- EPSS
- 2.8%
- Social Posts
- 2
CWE
- CWE-1023
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N