{"api_version":"1","generated_at":"2026-07-03T08:10:19+00:00","cve":"CVE-2026-4598","urls":{"html":"https://cve.report/CVE-2026-4598","api":"https://cve.report/api/cve/CVE-2026-4598.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-4598","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-4598"},"summary":{"title":"CVE-2026-4598","description":"Versions of the package jsrsasign before 11.1.1 are vulnerable to Infinite loop via the bnModInverse function in ext/jsbn2.js when the BigInteger.modInverse implementation receives zero or negative inputs, allowing an attacker to hang the process permanently by supplying such crafted values (e.g., modInverse(0, m) or modInverse(-1, m)).","state":"PUBLISHED","assigner":"snyk","published_at":"2026-03-23 06:16:21","updated_at":"2026-07-01 13:17:40"},"problem_types":["CWE-835","CWE-1287","CWE-835 Infinite loop","CWE-1287 Improper Validation of Specified Type of Input"],"metrics":[{"version":"4.0","source":"report@snyk.io","type":"Secondary","score":"7.7","severity":"HIGH","vector":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","data":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":7.7,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"PROOF_OF_CONCEPT","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}},{"version":"4.0","source":"CNA","type":"DECLARED","score":"8.7","severity":"HIGH","vector":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P","data":{"attackComplexity":"LOW","attackRequirements":"NONE","attackVector":"NETWORK","baseScore":8.7,"baseSeverity":"HIGH","exploitMaturity":"PROOF_OF_CONCEPT","privilegesRequired":"NONE","subAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","userInteraction":"NONE","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P","version":"4.0","vulnAvailabilityImpact":"HIGH","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"NONE"}},{"version":"3.1","source":"ADP","type":"CVSS","score":"7.5","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"}},{"version":"3.1","source":"report@snyk.io","type":"Secondary","score":"7.5","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"}},{"version":"3.1","source":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","type":"Secondary","score":"7.5","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"7.5","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","exploitCodeMaturity":"PROOF_OF_CONCEPT","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P","version":"3.1"}}],"references":[{"url":"https://access.redhat.com/security/cve/CVE-2026-4598","name":"https://access.redhat.com/security/cve/CVE-2026-4598","refsource":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-4598.json","name":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-4598.json","refsource":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://access.redhat.com/errata/RHSA-2026:19410","name":"https://access.redhat.com/errata/RHSA-2026:19410","refsource":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://security.snyk.io/vuln/SNYK-JS-JSRSASIGN-15370938","name":"https://security.snyk.io/vuln/SNYK-JS-JSRSASIGN-15370938","refsource":"report@snyk.io","tags":["Third Party Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://access.redhat.com/errata/RHSA-2026:6720","name":"https://access.redhat.com/errata/RHSA-2026:6720","refsource":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://access.redhat.com/errata/RHSA-2026:6568","name":"https://access.redhat.com/errata/RHSA-2026:6568","refsource":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2450210","name":"https://bugzilla.redhat.com/show_bug.cgi?id=2450210","refsource":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/kjur/jsrsasign/commit/ca5b027240287a1e71fe63019fc4400332594323","name":"https://github.com/kjur/jsrsasign/commit/ca5b027240287a1e71fe63019fc4400332594323","refsource":"report@snyk.io","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://access.redhat.com/errata/RHSA-2026:19375","name":"https://access.redhat.com/errata/RHSA-2026:19375","refsource":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-15812263","name":"https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-15812263","refsource":"report@snyk.io","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://gist.github.com/Kr0emer/a1bf5cd4547cc630d2dcc5e761de8264","name":"https://gist.github.com/Kr0emer/a1bf5cd4547cc630d2dcc5e761de8264","refsource":"report@snyk.io","tags":["Exploit","Mitigation","Third Party Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://access.redhat.com/errata/RHSA-2026:23361","name":"https://access.redhat.com/errata/RHSA-2026:23361","refsource":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/kjur/jsrsasign/pull/648","name":"https://github.com/kjur/jsrsasign/pull/648","refsource":"report@snyk.io","tags":["Issue Tracking"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://access.redhat.com/errata/RHSA-2026:22840","name":"https://access.redhat.com/errata/RHSA-2026:22840","refsource":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://access.redhat.com/errata/RHSA-2026:19409","name":"https://access.redhat.com/errata/RHSA-2026:19409","refsource":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-4598","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-4598","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"n/a","product":"jsrsasign","version":"affected 11.1.1 semver","platforms":[]},{"source":"CNA","vendor":"n/a","product":"org.webjars.npm:jsrsasign","version":"affected * semver","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Migration Toolkit for Virtualization 2.1","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Migration Toolkit for Virtualization 2.9","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat Quay 3.10","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat Quay 3.12","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat Quay 3.15","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat Quay 3.16","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat Quay 3.9","version":"","platforms":[]}],"timeline":[{"source":"ADP","time":"2026-03-23T06:01:47.891Z","lang":"en","value":"Reported to Red Hat."},{"source":"ADP","time":"2026-03-23T05:00:11.571Z","lang":"en","value":"Made public."}],"solutions":[{"source":"ADP","title":"","value":"RHSA-2026:19409: Migration Toolkit for Virtualization 2.1","time":"","lang":"en"},{"source":"ADP","title":"","value":"RHSA-2026:19410: Migration Toolkit for Virtualization 2.9","time":"","lang":"en"},{"source":"ADP","title":"","value":"RHSA-2026:22840: Red Hat Quay 3.10","time":"","lang":"en"},{"source":"ADP","title":"","value":"RHSA-2026:6720: Red Hat Quay 3.12","time":"","lang":"en"},{"source":"ADP","title":"","value":"RHSA-2026:6568: Red Hat Quay 3.15","time":"","lang":"en"},{"source":"ADP","title":"","value":"RHSA-2026:19375: Red Hat Quay 3.16","time":"","lang":"en"},{"source":"ADP","title":"","value":"RHSA-2026:23361: Red Hat Quay 3.9","time":"","lang":"en"}],"workarounds":[{"source":"ADP","title":"","value":"Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.","time":"","lang":"en"}],"exploits":[],"credits":[{"source":"CNA","value":"Kr0emer","lang":"en"}],"nvd_cpes":[{"cve_year":"2026","cve_id":"4598","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"kjur","cpe5":"jsrsasign","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"node.js","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"4598","cve":"CVE-2026-4598","epss":"0.005540000","percentile":"0.421380000","score_date":"2026-07-02","updated_at":"2026-07-03 00:06:12"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-4598","options":[{"Exploitation":"poc"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2026-03-23T14:37:02.606788Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-03-23T14:37:09.505Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"},{"affected":[{"cpes":["cpe:/a:redhat:migration_toolkit_virtualization:2.10::el9"],"defaultStatus":"affected","product":"Migration Toolkit for Virtualization 2.1","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:migration_toolkit_virtualization:2.9::el9"],"defaultStatus":"affected","product":"Migration Toolkit for Virtualization 2.9","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:quay:3.10::el8"],"defaultStatus":"affected","product":"Red Hat Quay 3.10","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:quay:3.12::el8"],"defaultStatus":"affected","product":"Red Hat Quay 3.12","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:quay:3.15::el8"],"defaultStatus":"affected","product":"Red Hat Quay 3.15","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:quay:3.16::el9"],"defaultStatus":"affected","product":"Red Hat Quay 3.16","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:quay:3.9::el8"],"defaultStatus":"affected","product":"Red Hat Quay 3.9","vendor":"Red Hat"}],"datePublic":"2026-03-23T05:00:11.571Z","descriptions":[{"lang":"en","value":"A flaw was found in jsrsasign. A remote attacker could exploit this vulnerability by providing specially crafted zero or negative inputs to the bnModInverse function within the BigInteger.modInverse implementation. This could lead to an infinite loop, causing a permanent denial of service (DoS) by hanging the process."}],"metrics":[{"other":{"content":{"namespace":"https://access.redhat.com/security/updates/classification/","value":"Important"},"type":"Red Hat severity rating"}},{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"},"format":"CVSS"}],"problemTypes":[{"descriptions":[{"cweId":"CWE-1287","description":"Improper Validation of Specified Type of Input","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-07-01T12:04:59.959Z","orgId":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","shortName":"redhat-SADP"},"references":[{"tags":["vdb-entry","x_refsource_REDHAT"],"url":"https://access.redhat.com/security/cve/CVE-2026-4598"},{"name":"RHBZ#2450210","tags":["issue-tracking","x_refsource_REDHAT"],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2450210"},{"tags":["x_sadp-csaf-vex"],"url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-4598.json"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:19409"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:19410"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:22840"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:6720"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:6568"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:19375"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:23361"}],"solutions":[{"lang":"en","value":"RHSA-2026:19409: Migration Toolkit for Virtualization 2.1"},{"lang":"en","value":"RHSA-2026:19410: Migration Toolkit for Virtualization 2.9"},{"lang":"en","value":"RHSA-2026:22840: Red Hat Quay 3.10"},{"lang":"en","value":"RHSA-2026:6720: Red Hat Quay 3.12"},{"lang":"en","value":"RHSA-2026:6568: Red Hat Quay 3.15"},{"lang":"en","value":"RHSA-2026:19375: Red Hat Quay 3.16"},{"lang":"en","value":"RHSA-2026:23361: Red Hat Quay 3.9"}],"timeline":[{"lang":"en","time":"2026-03-23T06:01:47.891Z","value":"Reported to Red Hat."},{"lang":"en","time":"2026-03-23T05:00:11.571Z","value":"Made public."}],"title":"jsrsasign: jsrsasign: Denial of Service via infinite loop in bnModInverse function with crafted inputs","workarounds":[{"lang":"en","value":"Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}],"x_adpType":"supplier","x_generator":{"engine":"sadp-cli 1.0.0"}}],"cna":{"affected":[{"product":"jsrsasign","vendor":"n/a","versions":[{"lessThan":"11.1.1","status":"affected","version":"0","versionType":"semver"}]},{"product":"org.webjars.npm:jsrsasign","vendor":"n/a","versions":[{"lessThan":"*","status":"affected","version":"0","versionType":"semver"}]}],"credits":[{"lang":"en","value":"Kr0emer"}],"descriptions":[{"lang":"en","value":"Versions of the package jsrsasign before 11.1.1 are vulnerable to Infinite loop via the bnModInverse function in ext/jsbn2.js when the BigInteger.modInverse implementation receives zero or negative inputs, allowing an attacker to hang the process permanently by supplying such crafted values (e.g., modInverse(0, m) or modInverse(-1, m))."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","exploitCodeMaturity":"PROOF_OF_CONCEPT","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P","version":"3.1"},"cvssV4_0":{"attackComplexity":"LOW","attackRequirements":"NONE","attackVector":"NETWORK","baseScore":8.7,"baseSeverity":"HIGH","exploitMaturity":"PROOF_OF_CONCEPT","privilegesRequired":"NONE","subAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","userInteraction":"NONE","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P","version":"4.0","vulnAvailabilityImpact":"HIGH","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"NONE"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-835","description":"Infinite loop","lang":"en"}]}],"providerMetadata":{"dateUpdated":"2026-06-25T15:25:06.932Z","orgId":"bae035ff-b466-4ff4-94d0-fc9efd9e1730","shortName":"snyk"},"references":[{"url":"https://security.snyk.io/vuln/SNYK-JS-JSRSASIGN-15370938"},{"url":"https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-15812263"},{"url":"https://gist.github.com/Kr0emer/a1bf5cd4547cc630d2dcc5e761de8264"},{"url":"https://github.com/kjur/jsrsasign/pull/648"},{"url":"https://github.com/kjur/jsrsasign/commit/ca5b027240287a1e71fe63019fc4400332594323"}]}},"cveMetadata":{"assignerOrgId":"bae035ff-b466-4ff4-94d0-fc9efd9e1730","assignerShortName":"snyk","cveId":"CVE-2026-4598","datePublished":"2026-03-23T05:00:11.571Z","dateReserved":"2026-03-22T16:25:51.590Z","dateUpdated":"2026-07-01T12:04:59.959Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-03-23 06:16:21","lastModifiedDate":"2026-07-01 13:17:40","problem_types":["CWE-835","CWE-1287","CWE-835 Infinite loop","CWE-1287 Improper Validation of Specified Type of Input"],"metrics":{"cvssMetricV40":[{"source":"report@snyk.io","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":7.7,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"PROOF_OF_CONCEPT","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"report@snyk.io","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6},{"source":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-03-23T14:37:02.606788Z","id":"CVE-2026-4598","options":[{"exploitation":"poc"},{"automatable":"yes"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:kjur:jsrsasign:*:*:*:*:*:node.js:*:*","versionEndExcluding":"11.1.1","matchCriteriaId":"46D62CE4-1F1B-44DF-BFAB-86FE57D7A194"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"4598","Ordinal":"1","Title":"CVE-2026-4598","CVE":"CVE-2026-4598","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"4598","Ordinal":"1","NoteData":"Versions of the package jsrsasign before 11.1.1 are vulnerable to Infinite loop via the bnModInverse function in ext/jsbn2.js when the BigInteger.modInverse implementation receives zero or negative inputs, allowing an attacker to hang the process permanently by supplying such crafted values (e.g., modInverse(0, m) or modInverse(-1, m)).","Type":"Description","Title":"CVE-2026-4598"}]}}}