Vulnerabilities ›

CVE-2026-4603

Medium ⚡ Exploit Available

CWE-369 — Weakness Type

                    Published: Mar 23, 2026                      ·  Modified: Mar 24, 2026                      ·  Source: NVD                

CVSS v3

5.9

🔗 NVD Official

📄 Description (English)

Versions of the package jsrsasign before 11.1.1 are vulnerable to Division by zero due to the RSASetPublic/KEYUTIL parsing path in ext/rsa.js and the BigInteger.modPowInt reduction logic in ext/jsbn.js. An attacker can force RSA public-key operations (e.g., verify and encryption) to collapse to deterministic zero outputs and hide “invalid key” errors by supplying a JWK whose modulus decodes to zero.

🤖 AI Executive Summary

CVE-2026-4603 is a division by zero vulnerability in jsrsasign versions before 11.1.1 affecting RSA public-key operations through malformed JWK modulus values. An attacker can force cryptographic operations to produce deterministic zero outputs, potentially bypassing signature verification and encryption security controls.

📄 Description (Arabic)

تؤثر هذه الثغرة على مكتبة jsrsasign وتسمح للمهاجمين بتوفير قيم JWK معيبة بـ modulus صفري. يمكن للهجوم أن يسبب فشل التحقق من التوقيع بصمت أو إنتاج مخرجات قابلة للتنبؤ من التشفير، مما يعرض المصادقة والسرية للخطر.

🤖 ملخص تنفيذي (AI)

This vulnerability in jsrsasign library affects RSA cryptographic operations by allowing attackers to supply specially crafted JWK values with zero modulus. The flaw can cause signature verification to fail silently or encryption to produce predictable outputs, compromising authentication and confidentiality.

🤖 AI Intelligence Analysis Analyzed: May 24, 2026 16:32

🇸🇦 Saudi Arabia Impact Assessment

Saudi Relevance: high

🏢 Affected Saudi Sectors

banking government telecom

🎯 MITRE ATT&CK Techniques

T1040 T1187

⚖️ Saudi Risk Score (AI)

6.0

/ 10.0

🔧 Remediation Steps (English)

Immediately upgrade jsrsasign to version 11.1.1 or later. Implement input validation to reject JWK objects with zero or invalid modulus values before processing. Add cryptographic operation result validation to detect and reject zero outputs from RSA operations.

🔧 خطوات المعالجة (العربية)

قم بترقية jsrsasign فوراً إلى الإصدار 11.1.1 أو أحدث. طبق التحقق من صحة المدخلات لرفض كائنات JWK ذات قيم modulus صفرية أو غير صالحة قبل المعالجة. أضف التحقق من نتائج العمليات التشفيرية لكشف ورفض المخرجات الصفرية من عمليات RSA.

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

5.2.1 5.2.2

🔵 SAMA CSF

AC-3 SC-13

🟡 ISO 27001:2022

A.10.1.1 A.13.1.1

🔗 References & Sources 4

🔗

https://gist.github.com/Kr0emer/5366b7364c4fbf7e754bc377f321e9f3

report@snyk.io

Exploit Mitigation Third Party Advisory

🔗

https://github.com/kjur/jsrsasign/commit/dc41d49fac4297e7a737a3ef8ebd0aa9c49ef93f

report@snyk.io

Patch

🔗

https://github.com/kjur/jsrsasign/pull/649

report@snyk.io

Issue Tracking

🔗

https://security.snyk.io/vuln/SNYK-JS-JSRSASIGN-15371176

report@snyk.io

Third Party Advisory

📦 Affected Products / CPE 1 entries

jsrsasign_project:jsrsasign

📊 CVSS Score

5.9

/ 10.0 — Medium

📊 CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Attack VectorL — Low / Local

Attack ComplexityL — Low / Local

Privileges RequiredN — None / Network

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityL — Low / Local

IntegrityL — Low / Local

AvailabilityL — Low / Local

📋 Quick Facts

Severity Medium

CVSS Score5.9

CWECWE-369

Exploit ✓ Yes

Patch ✓ Yes

Published 2026-03-23

Source Feed nvd

🇸🇦 Saudi Risk Score

6.0

/ 10.0 — Saudi Risk

Priority: MEDIUM

🏷️ Tags

exploit-available patch-available CWE-369

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

CVE-2026-4603

Introduce Yourself

Sign In Required