CVE-2026-4602
Summary
| CVE | CVE-2026-4602 |
|---|---|
| State | PUBLISHED |
| Assigner | snyk |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-03-23 06:16:22 UTC |
| Updated | 2026-07-01 13:17:42 UTC |
| Description | Versions of the package jsrsasign before 11.1.1 are vulnerable to Incorrect Conversion between Numeric Types due to handling negative exponents in ext/jsbn2.js. An attacker can force the computation of incorrect modular inverses and break signature verification by calling modPow with a negative exponent. |
Risk And Classification
Primary CVSS: v4.0 7.7 HIGH from [email protected]
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS: 0.004960000 probability, percentile 0.389130000 (date 2026-07-02)
Problem Types: CWE-681 | CWE-681 Incorrect Conversion between Numeric Types
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 4.0 | [email protected] | Secondary | 7.7 | HIGH | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/C... |
| 4.0 | CNA | DECLARED | 8.7 | HIGH | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P |
| 3.1 | ADP | CVSS | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
| 3.1 | [email protected] | Secondary | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| 3.1 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | Secondary | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
| 3.1 | CNA | DECLARED | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P |
CVSS v4.0 Breakdown
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVSS v3.1 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
NVD Known Affected Configurations (CPE 2.3)
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Na | Jsrsasign | affected 11.1.1 semver | Not specified |
| CNA | Na | Org.webjars.npmjsrsasign | affected * semver | Not specified |
| ADP | Red Hat | Migration Toolkit For Virtualization 2.1 | Not specified | Not specified |
| ADP | Red Hat | Migration Toolkit For Virtualization 2.9 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Quay 3.10 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Quay 3.12 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Quay 3.15 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Quay 3.16 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Quay 3.9 | Not specified | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| github.com/kjur/jsrsasign/commit/5ea1c32bb2aa894b4bd29849839afe4f98728195 | [email protected] | github.com | Patch |
| access.redhat.com/errata/RHSA-2026:19410 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-15812274 | [email protected] | security.snyk.io | |
| access.redhat.com/errata/RHSA-2026:6720 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:6568 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| bugzilla.redhat.com/show_bug.cgi | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | bugzilla.redhat.com | |
| access.redhat.com/errata/RHSA-2026:19375 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:6912 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-4602.json | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | security.access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:6926 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/security/cve/CVE-2026-4602 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| security.snyk.io/vuln/SNYK-JS-JSRSASIGN-15371175 | [email protected] | security.snyk.io | Third Party Advisory |
| gist.github.com/Kr0emer/7ecd2be7d17419e4677315ef3758faf5 | [email protected] | gist.github.com | Exploit, Mitigation, Third Party Advisory |
| access.redhat.com/errata/RHSA-2026:19409 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| github.com/kjur/jsrsasign/pull/650 | [email protected] | github.com | Issue Tracking |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Kr0emer (en)
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| ADP | 2026-03-23T06:01:28.729Z | Reported to Red Hat. |
| ADP | 2026-03-23T05:00:10.567Z | Made public. |
Solutions
ADP: RHSA-2026:19409: Migration Toolkit for Virtualization 2.1
ADP: RHSA-2026:19410: Migration Toolkit for Virtualization 2.9
ADP: RHSA-2026:6912: Red Hat Quay 3.10
ADP: RHSA-2026:6720: Red Hat Quay 3.12
ADP: RHSA-2026:6568: Red Hat Quay 3.15
ADP: RHSA-2026:19375: Red Hat Quay 3.16
ADP: RHSA-2026:6926: Red Hat Quay 3.9
Workarounds
ADP: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.