CVE-2026-4599 affects the jsrsasign JavaScript cryptographic library, specifically versions from 7.0.0 up to and including 11.1.1. The vulnerability arises from incomplete comparison logic within the getRandomBigIntegerZeroToMax and getRandomBigIntegerMinToMax functions in src/crypto-1.1.js. These functions are responsible for generating random big integers used as nonces in DSA signature generation. Due to incorrect compareTo checks, the functions accept out-of-range candidates, which biases the nonce values. This bias can be exploited by an attacker to recover the private key associated with the DSA signatures, effectively breaking the cryptographic security guarantees. The flaw does not require any privileges, authentication, or user interaction, and can be exploited remotely by analyzing signatures generated by the vulnerable library. The CVSS 4.0 score of 9.3 (critical) reflects the high impact on confidentiality and integrity, with network attack vector, low attack complexity, and no required privileges or user interaction. No known exploits are currently reported in the wild, but the vulnerability presents a significant risk to any system relying on jsrsasign for cryptographic operations, especially those involving digital signatures and key management.

The impact of CVE-2026-4599 is severe for organizations worldwide that use jsrsasign for cryptographic functions, particularly digital signature generation using DSA. Successful exploitation allows attackers to recover private keys, compromising the confidentiality and integrity of communications, authentication, and data protection mechanisms. This can lead to unauthorized data access, impersonation, code signing forgery, and undermining of trust in digital certificates and secure communications. The vulnerability affects any system that relies on jsrsasign for cryptographic signing, including web applications, blockchain platforms, secure messaging, and software distribution. The ease of exploitation without authentication or user interaction increases the risk of widespread attacks once exploit code becomes available. Organizations in sectors such as finance, government, healthcare, and critical infrastructure are particularly vulnerable due to the sensitive nature of their cryptographic operations and the potential for significant operational disruption and data breaches.

To mitigate CVE-2026-4599, organizations should immediately upgrade jsrsasign to a version later than 11.1.1 where the vulnerability is patched. If upgrading is not immediately feasible, implement additional validation checks on nonce values generated during DSA signature processes to ensure they fall within the correct range and are not biased. Employ cryptographic best practices such as using alternative, well-vetted cryptographic libraries that do not exhibit this flaw. Monitor cryptographic operations for anomalies in signature generation that could indicate exploitation attempts. Restrict exposure of systems performing DSA signing to trusted networks and users to reduce attack surface. Additionally, conduct thorough code reviews and penetration testing focused on cryptographic implementations to detect similar logic errors. Maintain up-to-date threat intelligence to respond rapidly if exploit code emerges in the wild.