Cryptographic Implementation Flaw in jsrsasign by KJUR
CVE-2026-4601

9.4CRITICAL

Key Information:

Vendor: KJUR
Status: Jsrsasign
Vendor: CVE Published:; 23 March 2026

What is CVE-2026-4601?

The jsrsasign library, specifically versions prior to 11.1.1, contains a vulnerability in its DSA signing implementation. This flaw allows an attacker to exploit the signing process through the KJUR.crypto.DSA.signWithMessageHash function. By manipulating the signature generation to force the parameters 'r' or 's' to zero, the library produces an invalid signature without attempting a retry. This behavior enables the attacker to derive the private key from the resulting signature, posing a significant risk to cryptographic security. It is essential for users of the library to upgrade to the latest version to mitigate this risk.

Affected Version(s)

jsrsasign 0 < 11.1.1

References

https://security.snyk.io/vuln/SNYK-JS-JSRSASIGN-15370941

https://gist.github.com/Kr0emer/93789fe6efe5519db9692d4ad...

https://github.com/kjur/jsrsasign/pull/645

CVSS V4

Score:

9.4

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 23, 2026
Vulnerability Reserved
Mar 22, 2026

Credit

Kr0emer

CVE-2026-4601 Data

JSON