Home / Vulnerability Intelligence / CVE-2026-4603

CVE-2026-4603 - Vulnerability Analysis

MediumCVSS: 5.9

Last Updated: March 23, 2026

jsrsasign - Denial of Service

Published: March 23, 2026Updated: March 23, 2026PoC Available

Overview

jsrsasign < 11.1.1 contains a division by zero vulnerability caused by improper handling of RSA public-key operations in ext/rsa.js and ext/jsbn.js, letting attackers force operations to zero outputs, exploit requires crafted JWK with zero modulus.

Severity & Score

Severity: Medium

CVSS Score: 5.9

Impact

Attackers can cause RSA operations to output zero, bypassing invalid key errors and potentially disrupting cryptographic validation.

Mitigation

Update to version 11.1.1 or later.

References

https://gist.github.com/Kr0emer/5366b7364c4fbf7e754bc377f321e9f3
https://github.com/kjur/jsrsasign/commit/dc41d49fac4297e7a737a3ef8ebd0aa9c49ef93f
https://github.com/kjur/jsrsasign/pull/649
https://security.snyk.io/vuln/SNYK-JS-JSRSASIGN-15371176

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-4603
Severity: Medium
CVSS Score: 5.9
Type: undefined
Status: confirmed

CWE

CWE-369

CVSS Metrics

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L