{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4603", "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "state": "PUBLISHED", "assignerShortName": "snyk", "dateReserved": "2026-03-22T16:26:19.818Z", "datePublished": "2026-03-23T05:00:14.060Z", "dateUpdated": "2026-03-23T14:42:16.345Z"}, "containers": {"cna": {"metrics": [{"cvssV3_1": {"version": "3.1", "attackVector": "LOCAL", "attackComplexity": "LOW", "exploitCodeMaturity": "PROOF_OF_CONCEPT", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 5.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P"}, "cvssV4_0": {"version": "4.0", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 5.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"}}], "credits": [{"value": "Kr0emer", "lang": "en"}], "problemTypes": [{"descriptions": [{"cweId": "CWE-369", "description": "Division by zero", "lang": "en"}]}], "providerMetadata": {"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk", "dateUpdated": "2026-03-23T05:00:14.060Z"}, "descriptions": [{"value": "Versions of the package jsrsasign before 11.1.1 are vulnerable to Division by zero due to the RSASetPublic/KEYUTIL parsing path in ext/rsa.js and the BigInteger.modPowInt reduction logic in ext/jsbn.js. An attacker can force RSA public-key operations (e.g., verify and encryption) to collapse to deterministic zero outputs and hide \u201cinvalid key\u201d errors by supplying a JWK whose modulus decodes to zero.", "lang": "en"}], "references": [{"url": "https://security.snyk.io/vuln/SNYK-JS-JSRSASIGN-15371176"}, {"url": "https://gist.github.com/Kr0emer/5366b7364c4fbf7e754bc377f321e9f3"}, {"url": "https://github.com/kjur/jsrsasign/commit/dc41d49fac4297e7a737a3ef8ebd0aa9c49ef93f"}, {"url": "https://github.com/kjur/jsrsasign/pull/649"}], "affected": [{"product": "jsrsasign", "versions": [{"version": "0", "lessThan": "11.1.1", "status": "affected", "versionType": "semver"}], "vendor": "n/a"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-23T14:42:08.541897Z", "id": "CVE-2026-4603", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T14:42:16.345Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4603", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-23T14:42:08.541897Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T14:42:13.779Z"}}], "cna": {"credits": [{"lang": "en", "value": "Kr0emer"}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "exploitCodeMaturity": "PROOF_OF_CONCEPT", "confidentialityImpact": "LOW"}, "cvssV4_0": {"version": "4.0", "baseScore": 5.1, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "exploitMaturity": "PROOF_OF_CONCEPT", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW"}}], "affected": [{"vendor": "n/a", "product": "jsrsasign", "versions": [{"status": "affected", "version": "0", "lessThan": "11.1.1", "versionType": "semver"}]}], "references": [{"url": "https://security.snyk.io/vuln/SNYK-JS-JSRSASIGN-15371176"}, {"url": "https://gist.github.com/Kr0emer/5366b7364c4fbf7e754bc377f321e9f3"}, {"url": "https://github.com/kjur/jsrsasign/commit/dc41d49fac4297e7a737a3ef8ebd0aa9c49ef93f"}, {"url": "https://github.com/kjur/jsrsasign/pull/649"}], "descriptions": [{"lang": "en", "value": "Versions of the package jsrsasign before 11.1.1 are vulnerable to Division by zero due to the RSASetPublic/KEYUTIL parsing path in ext/rsa.js and the BigInteger.modPowInt reduction logic in ext/jsbn.js. An attacker can force RSA public-key operations (e.g., verify and encryption) to collapse to deterministic zero outputs and hide \u201cinvalid key\u201d errors by supplying a JWK whose modulus decodes to zero."}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-369", "description": "Division by zero"}]}], "providerMetadata": {"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk", "dateUpdated": "2026-03-23T05:00:14.060Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4603", "state": "PUBLISHED", "dateUpdated": "2026-03-23T14:42:16.345Z", "dateReserved": "2026-03-22T16:26:19.818Z", "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "datePublished": "2026-03-23T05:00:14.060Z", "assignerShortName": "snyk"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:jsrsasign_project:jsrsasign:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "1EBBE1A6-4D19-4ED2-859C-73AFBDA25DEA", "versionEndExcluding": "11.1.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Versions of the package jsrsasign before 11.1.1 are vulnerable to Division by zero due to the RSASetPublic/KEYUTIL parsing path in ext/rsa.js and the BigInteger.modPowInt reduction logic in ext/jsbn.js. An attacker can force RSA public-key operations (e.g., verify and encryption) to collapse to deterministic zero outputs and hide \u201cinvalid key\u201d errors by supplying a JWK whose modulus decodes to zero."}, {"lang": "es", "value": "Versiones del paquete jsrsasign anteriores a la 11.1.1 son vulnerables a la divisi\u00f3n por cero debido a la ruta de an\u00e1lisis RSASetPublic/KEYUTIL en ext/rsa.js y la l\u00f3gica de reducci\u00f3n BigInteger.modPowInt en ext/jsbn.js. Un atacante puede forzar que las operaciones de clave p\u00fablica RSA (por ejemplo, verificar y cifrado) colapsen a salidas cero deterministas y ocultar errores de 'clave no v\u00e1lida' al proporcionar un JWK cuyo m\u00f3dulo se decodifica a cero."}], "id": "CVE-2026-4603", "lastModified": "2026-04-29T01:00:01.613", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.5, "impactScore": 3.4, "source": "report@snyk.io", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.4, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.0, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "report@snyk.io", "type": "Secondary"}]}, "published": "2026-03-23T06:16:22.233", "references": [{"source": "report@snyk.io", "tags": ["Exploit", "Mitigation", "Third Party Advisory"], "url": "https://gist.github.com/Kr0emer/5366b7364c4fbf7e754bc377f321e9f3"}, {"source": "report@snyk.io", "tags": ["Patch"], "url": "https://github.com/kjur/jsrsasign/commit/dc41d49fac4297e7a737a3ef8ebd0aa9c49ef93f"}, {"source": "report@snyk.io", "tags": ["Issue Tracking"], "url": "https://github.com/kjur/jsrsasign/pull/649"}, {"source": "report@snyk.io", "tags": ["Third Party Advisory"], "url": "https://security.snyk.io/vuln/SNYK-JS-JSRSASIGN-15371176"}], "sourceIdentifier": "report@snyk.io", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-369"}], "source": "report@snyk.io", "type": "Secondary"}]}

{"bugzilla": {"description": "jsrsasign: jsrsasign: Cryptographic operations impacted by division by zero via malicious JSON Web Key", "id": "2450205", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2450205"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.9", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "status": "draft"}, "cwe": "CWE-369", "details": ["A flaw was found in jsrsasign. An attacker can exploit a division by zero vulnerability by supplying a specially crafted JSON Web Key (JWK) whose modulus decodes to zero. This vulnerability can force RSA public-key operations, such as verification and encryption, to produce deterministic zero outputs. This impacts the reliability and integrity of cryptographic operations and can conceal \"invalid key\" errors."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-4603", "package_state": [{"cpe": "cpe:/a:redhat:migration_toolkit_virtualization:2", "fix_state": "Fix deferred", "package_name": "migration-toolkit-virtualization/mtv-console-plugin-rhel9", "product_name": "Migration Toolkit for Virtualization"}, {"cpe": "cpe:/a:redhat:migration_toolkit_virtualization:2", "fix_state": "Fix deferred", "package_name": "mtv-candidate/mtv-console-plugin-rhel9", "product_name": "Migration Toolkit for Virtualization"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Fix deferred", "package_name": "quay/quay-rhel8", "product_name": "Red Hat Quay 3"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Fix deferred", "package_name": "quay/quay-rhel9", "product_name": "Red Hat Quay 3"}], "public_date": "2026-03-23T05:00:14Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-4603\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-4603\nhttps://gist.github.com/Kr0emer/5366b7364c4fbf7e754bc377f321e9f3\nhttps://github.com/kjur/jsrsasign/commit/dc41d49fac4297e7a737a3ef8ebd0aa9c49ef93f\nhttps://github.com/kjur/jsrsasign/pull/649\nhttps://security.snyk.io/vuln/SNYK-JS-JSRSASIGN-15371176"], "statement": "This flaw has a MODERATE impact. A division by zero vulnerability in jsrsasign, as used in Red Hat Migration Toolkit for Virtualization and Red Hat Quay, allows an attacker to provide a malicious JSON Web Key (JWK) that can lead to incorrect RSA public-key operation outputs and mask key validation errors. This compromises the reliability and integrity of cryptographic processes within affected Red Hat products.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,11.1.1)"}}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}]}, "original": {"product": "jsrsasign", "source": "cna", "vendor": "n/a"}, "product": "jsrsasign", "vendor": "kjur"}], "analysis": {"en": {"generated_at": "2026-03-23T17:36:17.572106+00:00", "value": {"mitigation_remediation": ["Upgrade the jsrsasign library to version 11.1.1 or later in all affected codebases;"], "summary": {"action": "Patch", "impact": "Cryptographic operations collapse to deterministic zero outputs and error suppression"}, "threat_synthesis": {"affected_systems": "The issue affects the JavaScript library jsrsasign provided by the jsrsasign project, for use in Node.js environments. All package versions released before 11.1.1 are vulnerable; upgrading to 11.1.1 or a later release removes the flaw.", "description_and_impact": "The vulnerability arises from a division by zero error in the RSASetPublic parsing logic and BigInteger.modPowInt reduction used by jsrsasign. An attacker who supplies a JSON Web Key whose modulus decodes to zero can force RSA public\u2011key operations, such as signature verification and encryption, to produce zero results. The error handling also suppresses the expected \u201cinvalid key\u201d message, making detection difficult. This flaw can enable an adversary to bypass cryptographic checks that rely on public\u2011key verification or to corrupt encrypted data without detection.", "risk_and_exploitability": "The vulnerability has a CVSS score of 5.1, indicating medium severity, and an EPSS score of less than 1\u202f%, suggesting low likelihood of exploitation in the near term. It is not listed in the CISA KEV catalog. Exploitation requires an attacker to control the JSON Web Key input supplied to the library, which is typically possible in applications that parse or process JWK data from external sources. No publicly disclosed exploits have been reported, but the deterministic zero output could be leveraged to subvert authentication or data integrity checks."}}}}, "created": "2026-03-23T09:45:29.721624+00:00", "updated": "2026-03-25T14:49:47.450756+00:00", "vendors": ["kjur", "kjur$PRODUCT$jsrsasign"]}