Cyber Resilience

CVE-2026-4598

HighPublic PoCDDoS

Published: 23 March 2026

Published
23 March 2026
Modified
23 March 2026
KEV Added
Patch
CVSS Score v4 7.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0008 23.3th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-4598 is a high-severity Infinite Loop (CWE-835) vulnerability in Jsrsasign Project Jsrsasign. Its CVSS base score is 7.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-4598 is a denial-of-service vulnerability in versions of the jsrsasign JavaScript package prior to 11.1.1. The flaw exists in the bnModInverse function within the ext/jsbn2.js file, where the BigInteger.modInverse implementation triggers an infinite loop upon receiving zero or negative inputs, such as modInverse(0, m) or modInverse(-1, m). This CWE-835 issue carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

The vulnerability can be exploited remotely by any unauthenticated attacker with network access, requiring low complexity and no user interaction. By supplying crafted inputs to the affected function, an attacker can cause the hosting process to hang permanently, resulting in a high-impact denial of service without affecting confidentiality or integrity.

Advisories recommend updating to jsrsasign version 11.1.1 or later, which addresses the issue via a fix in commit ca5b027240287a1e71fe63019fc4400332594323 and pull request #648 on the project's GitHub repository. Further details, including a proof-of-concept, are provided in the GitHub Gist at https://gist.github.com/Kr0emer/a1bf5cd4547cc630d2dcc5e761de8264 and the Snyk advisory at https://security.snyk.io/vuln/SNYK-JS-JSRSASIGN-15370938.

EU & UK References

Vulnerability details

Versions of the package jsrsasign before 11.1.1 are vulnerable to Infinite loop via the bnModInverse function in ext/jsbn2.js when the BigInteger.modInverse implementation receives zero or negative inputs, allowing an attacker to hang the process permanently by supplying such crafted values…

more

(e.g., modInverse(0, m) or modInverse(-1, m)).

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Remote unauthenticated network exploitation of the infinite-loop flaw in a cryptographic library function directly enables T1190 when the library is reachable via a public-facing application and T1499.004 via crafted inputs that trigger application-level DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-4602Same product: Jsrsasign Project Jsrsasign
CVE-2026-4601Same product: Jsrsasign Project Jsrsasign
CVE-2026-4600Same product: Jsrsasign Project Jsrsasign
CVE-2026-4599Same product: Jsrsasign Project Jsrsasign
CVE-2025-69227Shared CWE-835
CVE-2026-33699Shared CWE-835
CVE-2026-42920Shared CWE-835
CVE-2026-24831Shared CWE-835
CVE-2026-33891Shared CWE-835
CVE-2026-21905Shared CWE-835

Affected Assets

jsrsasign project
jsrsasign
≤ 11.1.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Flaw remediation directly mitigates CVE-2026-4598 by requiring timely patching of the vulnerable jsrsasign package to version 11.1.1 or later, eliminating the infinite loop in bnModInverse.

prevent

Information input validation prevents exploitation by ensuring inputs to the bnModInverse function are valid positive integers, blocking zero or negative values that trigger the infinite loop.

preventdetect

Denial-of-service protection implements safeguards like resource quotas and monitoring to limit the impact of the infinite loop-induced process hang from crafted inputs.

References