High severity8.7NVD Advisory· Published Mar 23, 2026· Updated Apr 29, 2026
CVE-2026-4601
CVE-2026-4601
Description
Versions of the package jsrsasign before 11.1.1 are vulnerable to Missing Cryptographic Step via the KJUR.crypto.DSA.signWithMessageHash process in the DSA signing implementation. An attacker can recover the private key by forcing r or s to be zero, so the library emits an invalid signature without retrying, and then solves for x from the resulting signature.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
jsrsasignnpm | < 11.1.1 | 11.1.1 |
Affected products
2Patches
Vulnerability mechanics
References
6- github.com/kjur/jsrsasign/commit/0710e392ec35de697ce11e4219c988ba2b5fe0ebnvdPatchWEB
- gist.github.com/Kr0emer/93789fe6efe5519db9692d4ad1dad586nvdExploitMitigationThird Party AdvisoryWEB
- github.com/advisories/GHSA-w8q8-93cx-6h7rghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-4601ghsaADVISORY
- security.snyk.io/vuln/SNYK-JS-JSRSASIGN-15370941nvdThird Party AdvisoryWEB
- github.com/kjur/jsrsasign/pull/645nvdIssue TrackingWEB
News mentions
0No linked articles in our index yet.