CVE-2026-4598 is a vulnerability in the jsrsasign library, a widely used JavaScript cryptographic toolkit. The issue lies in the bnModInverse function within ext/jsbn2.js, which implements the BigInteger.modInverse method. This method is designed to compute the modular inverse of a number, a critical operation in many cryptographic algorithms. However, when the function receives zero or negative inputs, it fails to handle these edge cases correctly, resulting in an infinite loop. Specifically, calls such as modInverse(0, m) or modInverse(-1, m) cause the function to hang indefinitely, leading to a denial-of-service (DoS) condition. The vulnerability can be triggered remotely without any authentication or user interaction, making it highly exploitable. The flaw affects all versions of jsrsasign prior to 11.1.1, which have not implemented proper input validation or error handling for these cases. The CVSS 4.0 base score of 8.7 indicates a high severity due to network attack vector, low attack complexity, no privileges or user interaction required, and a high impact on availability. While no known exploits have been reported in the wild, the potential for service disruption is significant, especially in environments where jsrsasign is used for critical cryptographic functions in web applications, APIs, or backend services. The vulnerability underscores the importance of robust input validation in cryptographic libraries to prevent denial-of-service attacks.

The primary impact of CVE-2026-4598 is a denial-of-service condition caused by an infinite loop in the jsrsasign library. Organizations using vulnerable versions of jsrsasign in their applications risk having their services hung or crashed when processing maliciously crafted inputs. This can lead to service outages, degraded performance, and potential cascading failures in dependent systems. Since jsrsasign is often used in web applications, APIs, and other JavaScript-based environments for cryptographic operations, the vulnerability could be exploited remotely without authentication, increasing the attack surface. The disruption could affect availability of critical services, potentially impacting user trust and business continuity. Although confidentiality and integrity are not directly compromised, the inability to process legitimate cryptographic operations could halt secure communications or transactions. Large-scale or automated exploitation could lead to widespread denial-of-service attacks against organizations relying on jsrsasign, especially those with high traffic or exposed endpoints. The absence of known exploits in the wild suggests limited current impact, but the ease of exploitation and high severity score warrant immediate attention.

To mitigate CVE-2026-4598, organizations should immediately upgrade jsrsasign to version 11.1.1 or later, where the infinite loop issue has been addressed. If upgrading is not immediately feasible, implement input validation controls to ensure that values passed to the modInverse function are strictly positive and non-zero before invocation. Application-level sanitization can prevent malicious inputs from reaching the vulnerable function. Additionally, implement runtime monitoring and alerting for unusually high CPU usage or process hangs in services using jsrsasign, enabling rapid detection of potential exploitation attempts. Employ rate limiting and input filtering at network boundaries to reduce exposure to crafted requests. For critical systems, consider isolating cryptographic operations in separate processes or containers with resource limits to contain potential denial-of-service effects. Regularly review and update dependencies to incorporate security patches promptly. Finally, conduct security testing focusing on edge cases in cryptographic functions to identify similar vulnerabilities proactively.