Incomplete Comparison Vulnerability in jsrsasign by KJUR
CVE-2026-4599

9.3CRITICAL

Key Information:

Vendor: KJUR
Status: Jsrsasign
Vendor: CVE Published:; 23 March 2026

What is CVE-2026-4599?

The jsrsasign library from KJUR is susceptible to an Incomplete Comparison vulnerability in its methods getRandomBigIntegerZeroToMax and getRandomBigIntegerMinToMax. This flaw allows attackers to exploit imprecise checks in key comparison processes, particularly during Digital Signature Algorithm (DSA) nonce generation. By accepting out-of-range values, the vulnerability can lead to an opportunity for unauthorized access, potentially allowing an attacker to recover the private key. It is critical for users to evaluate their security posture in context of this issue and implement recommended updates.

Affected Version(s)

jsrsasign 7.0.0 < 11.1.1

References

https://security.snyk.io/vuln/SNYK-JS-JSRSASIGN-15370939

https://gist.github.com/Kr0emer/081681818b51605c91945126d...

https://github.com/kjur/jsrsasign/pull/647

CVSS V4

Score:

9.3

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 23, 2026
Vulnerability Reserved
Mar 22, 2026

Credit

Kr0emer

CVE-2026-4599 Data

JSON