CVE-2026-4599
Received Received - Intake
Incomplete Comparison Vulnerability in jsrsasign Enables Private Key Recovery

Publication date: 2026-03-23

Last updated on: 2026-03-23

Assigner: Snyk

Description
Versions of the package jsrsasign from 7.0.0 and before 11.1.1 are vulnerable to Incomplete Comparison with Missing Factors via the getRandomBigIntegerZeroToMax and getRandomBigIntegerMinToMax functions in src/crypto-1.1.js; an attacker can recover the private key by exploiting the incorrect compareTo checks that accept out-of-range candidates and thus bias DSA nonces during signature generation.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-23
Last Modified
2026-03-23
Generated
2026-06-16
AI Q&A
2026-03-23
EPSS Evaluated
2026-06-14
NVD
CVE-2026-4599
EUVD
EUVD-2026-14373
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
jsrsasign_project jsrsasign From 7.0.0 (inc) to 11.1.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1023 The product performs a comparison between entities that must consider multiple factors or characteristics of each entity, but the comparison does not include one or more of these factors.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-4599 is a vulnerability in the jsrsasign JavaScript cryptographic library affecting versions from 7.0.0 up to before 11.1.1. The issue lies in the DSA nonce generation process, specifically in the functions getRandomBigIntegerZeroToMax and getRandomBigIntegerMinToMax. These functions use the BigInteger.compareTo method incorrectly by assuming it only returns -1, 0, or 1, while it can return any signed integer. This incorrect comparison allows out-of-range random values to be accepted during nonce generation.

Because the nonce (k) used in DSA signatures must be uniformly random within a specific range, accepting out-of-range values biases the nonce distribution. This bias can be exploited by attackers using lattice-based or Hidden Number Problem (HNP) attacks to recover the private key from multiple signatures.

The root cause is the flawed comparison logic in rejection sampling, which fails to reject invalid nonce candidates properly. A minimal patch correcting the comparison operators to handle all possible compareTo return values fixes the issue.

Impact Analysis

[{'type': 'paragraph', 'content': "This vulnerability can have a severe impact on the confidentiality and integrity of cryptographic operations that rely on the jsrsasign library's DSA signature implementation."}, {'type': 'list_item', 'content': 'An attacker can remotely exploit the biased nonce generation to recover the private key used in DSA signatures.'}, {'type': 'list_item', 'content': 'Once the private key is recovered, the attacker can forge signatures, impersonate the key owner, or decrypt sensitive data.'}, {'type': 'list_item', 'content': 'The attack requires no special privileges or user interaction and can be performed over the network.'}, {'type': 'paragraph', 'content': 'Overall, the vulnerability compromises the security guarantees of DSA signatures, potentially leading to unauthorized access and data breaches.'}] [1, 2]

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability can be detected by analyzing the behavior of the jsrsasign package's DSA nonce generation, specifically by checking for biased or out-of-range nonce values during signature generation."}, {'type': 'paragraph', 'content': 'A practical detection method involves collecting a large number of DSA signatures generated by the vulnerable jsrsasign versions and statistically analyzing the distribution of the nonces (k values). An overflow rate of about 6% out-of-range nonces indicates the presence of the vulnerability.'}, {'type': 'paragraph', 'content': 'No direct network or system commands are provided in the resources, but detection involves:'}, {'type': 'list_item', 'content': 'Extracting DSA signatures generated by jsrsasign from logs or intercepted traffic.'}, {'type': 'list_item', 'content': 'Using scripts or tools to parse the signatures and extract nonce values.'}, {'type': 'list_item', 'content': 'Performing statistical tests on the nonce distribution to identify bias or out-of-range values.'}, {'type': 'paragraph', 'content': 'Since the vulnerability is in JavaScript code, reviewing the version of jsrsasign used in your environment and checking if it falls within the vulnerable range (>=7.0.0 and <11.1.1) is also a key detection step.'}] [1]

Mitigation Strategies

The immediate recommended mitigation is to upgrade the jsrsasign package to version 11.1.1 or higher, where the vulnerability has been fixed.

If upgrading is not immediately possible, applying the patch that corrects the comparison logic in the functions getRandomBigIntegerZeroToMax and getRandomBigIntegerMinToMax can mitigate the issue. This involves changing the comparison from `compareTo() != -1` to `compareTo() >= 0` and adjusting the min/max guard from `flagCompare == 1` to `flagCompare > 0`.

Additionally, verifying that the patched code rejects out-of-range nonce values and performs proper boundary checks is important to ensure the fix is effective.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4599. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart