CVE-2026-4601CRITICAL 9.1EPSS p12.0%

CVE-2026-4601CVE-2026-4601

Description

Versions of the package jsrsasign before 11.1.1 are vulnerable to Missing Cryptographic Step via the KJUR.crypto.DSA.signWithMessageHash process in the DSA signing implementation. An attacker can recover the private key by forcing r or s to be zero, so the library emits an invalid signature without retrying, and then solves for x from the resulting signature.

Scoring

CVSS 3.19.1 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS0.22% probability of exploitation · percentile 12.0% · 2026-06-19T12:03:05Z
Published2026-03-23
Last modified2026-04-29

Underlying weaknesses· 1

CWE-325

References

  1. https://gist.github.com/Kr0emer/93789fe6efe5519db9692d4ad1dad586
  2. https://github.com/kjur/jsrsasign/commit/0710e392ec35de697ce11e4219c988ba2b5fe0eb
  3. https://github.com/kjur/jsrsasign/pull/645
  4. https://security.snyk.io/vuln/SNYK-JS-JSRSASIGN-15370941

1

TypeTargetConfidenceTier
WeaknessMissing Cryptographic Stepcwe-3250%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-4600
CVE
CVE-2026-4599
CVE
CVE-2026-4258
CVE
CVE-2025-4658
CVE
CVE-2025-3757
CVE
CVE-2026-5194
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.