CVE-2026-4598
Published: 23 March 2026
Summary
CVE-2026-4598 is a high-severity Infinite Loop (CWE-835) vulnerability in Jsrsasign Project Jsrsasign. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 22.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Flaw remediation directly mitigates CVE-2026-4598 by requiring timely patching of the vulnerable jsrsasign package to version 11.1.1 or later, eliminating the infinite loop in bnModInverse.
Information input validation prevents exploitation by ensuring inputs to the bnModInverse function are valid positive integers, blocking zero or negative values that trigger the infinite loop.
Denial-of-service protection implements safeguards like resource quotas and monitoring to limit the impact of the infinite loop-induced process hang from crafted inputs.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated network exploitation of the infinite-loop flaw in a cryptographic library function directly enables T1190 when the library is reachable via a public-facing application and T1499.004 via crafted inputs that trigger application-level DoS.
NVD Description
Versions of the package jsrsasign before 11.1.1 are vulnerable to Infinite loop via the bnModInverse function in ext/jsbn2.js when the BigInteger.modInverse implementation receives zero or negative inputs, allowing an attacker to hang the process permanently by supplying such crafted values…
more
(e.g., modInverse(0, m) or modInverse(-1, m)).
Deeper analysisAI
CVE-2026-4598 is a denial-of-service vulnerability in versions of the jsrsasign JavaScript package prior to 11.1.1. The flaw exists in the bnModInverse function within the ext/jsbn2.js file, where the BigInteger.modInverse implementation triggers an infinite loop upon receiving zero or negative inputs, such as modInverse(0, m) or modInverse(-1, m). This CWE-835 issue carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
The vulnerability can be exploited remotely by any unauthenticated attacker with network access, requiring low complexity and no user interaction. By supplying crafted inputs to the affected function, an attacker can cause the hosting process to hang permanently, resulting in a high-impact denial of service without affecting confidentiality or integrity.
Advisories recommend updating to jsrsasign version 11.1.1 or later, which addresses the issue via a fix in commit ca5b027240287a1e71fe63019fc4400332594323 and pull request #648 on the project's GitHub repository. Further details, including a proof-of-concept, are provided in the GitHub Gist at https://gist.github.com/Kr0emer/a1bf5cd4547cc630d2dcc5e761de8264 and the Snyk advisory at https://security.snyk.io/vuln/SNYK-JS-JSRSASIGN-15370938.
Details
- CWE(s)