CVE-2026-4599
Incomplete Comparison Vulnerability in jsrsasign Enables Private Key Recovery
Publication date: 2026-03-23
Last updated on: 2026-03-23
Assigner: Snyk
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| jsrsasign_project | jsrsasign | From 7.0.0 (inc) to 11.1.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1023 | The product performs a comparison between entities that must consider multiple factors or characteristics of each entity, but the comparison does not include one or more of these factors. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-4599 is a vulnerability in the jsrsasign JavaScript cryptographic library affecting versions from 7.0.0 up to before 11.1.1. The issue lies in the DSA nonce generation process, specifically in the functions getRandomBigIntegerZeroToMax and getRandomBigIntegerMinToMax. These functions use the BigInteger.compareTo method incorrectly by assuming it only returns -1, 0, or 1, while it can return any signed integer. This incorrect comparison allows out-of-range random values to be accepted during nonce generation.
Because the nonce (k) used in DSA signatures must be uniformly random within a specific range, accepting out-of-range values biases the nonce distribution. This bias can be exploited by attackers using lattice-based or Hidden Number Problem (HNP) attacks to recover the private key from multiple signatures.
The root cause is the flawed comparison logic in rejection sampling, which fails to reject invalid nonce candidates properly. A minimal patch correcting the comparison operators to handle all possible compareTo return values fixes the issue.
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': "This vulnerability can have a severe impact on the confidentiality and integrity of cryptographic operations that rely on the jsrsasign library's DSA signature implementation."}, {'type': 'list_item', 'content': 'An attacker can remotely exploit the biased nonce generation to recover the private key used in DSA signatures.'}, {'type': 'list_item', 'content': 'Once the private key is recovered, the attacker can forge signatures, impersonate the key owner, or decrypt sensitive data.'}, {'type': 'list_item', 'content': 'The attack requires no special privileges or user interaction and can be performed over the network.'}, {'type': 'paragraph', 'content': 'Overall, the vulnerability compromises the security guarantees of DSA signatures, potentially leading to unauthorized access and data breaches.'}] [1, 2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability can be detected by analyzing the behavior of the jsrsasign package's DSA nonce generation, specifically by checking for biased or out-of-range nonce values during signature generation."}, {'type': 'paragraph', 'content': 'A practical detection method involves collecting a large number of DSA signatures generated by the vulnerable jsrsasign versions and statistically analyzing the distribution of the nonces (k values). An overflow rate of about 6% out-of-range nonces indicates the presence of the vulnerability.'}, {'type': 'paragraph', 'content': 'No direct network or system commands are provided in the resources, but detection involves:'}, {'type': 'list_item', 'content': 'Extracting DSA signatures generated by jsrsasign from logs or intercepted traffic.'}, {'type': 'list_item', 'content': 'Using scripts or tools to parse the signatures and extract nonce values.'}, {'type': 'list_item', 'content': 'Performing statistical tests on the nonce distribution to identify bias or out-of-range values.'}, {'type': 'paragraph', 'content': 'Since the vulnerability is in JavaScript code, reviewing the version of jsrsasign used in your environment and checking if it falls within the vulnerable range (>=7.0.0 and <11.1.1) is also a key detection step.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate recommended mitigation is to upgrade the jsrsasign package to version 11.1.1 or higher, where the vulnerability has been fixed.
If upgrading is not immediately possible, applying the patch that corrects the comparison logic in the functions getRandomBigIntegerZeroToMax and getRandomBigIntegerMinToMax can mitigate the issue. This involves changing the comparison from `compareTo() != -1` to `compareTo() >= 0` and adjusting the min/max guard from `flagCompare == 1` to `flagCompare > 0`.
Additionally, verifying that the patched code rejects out-of-range nonce values and performs proper boundary checks is important to ensure the fix is effective.