The vulnerability identified as CVE-2026-4603 affects the jsrsasign JavaScript library, a widely used cryptographic toolkit for handling RSA public-key operations. The flaw is a division by zero error triggered during the parsing and processing of RSA public keys, specifically within the RSASetPublic/KEYUTIL parsing path in ext/rsa.js and the BigInteger.modPowInt reduction logic in ext/jsbn.js. When an attacker supplies a JSON Web Key (JWK) whose modulus component decodes to zero, the RSA operations such as signature verification and encryption collapse to deterministic zero outputs. This effectively hides errors that would normally indicate an invalid key, potentially allowing cryptographic operations to succeed incorrectly or fail silently. The vulnerability is exploitable without authentication or user interaction but requires local access to the environment where jsrsasign is used. The CVSS 4.0 base score is 5.1, reflecting medium severity due to the local attack vector and limited scope. No known exploits have been reported in the wild as of the publication date. The issue was resolved in jsrsasign version 11.1.1 by correcting the parsing and modular exponentiation logic to prevent division by zero and ensure proper error handling for invalid keys.

This vulnerability undermines the integrity and confidentiality guarantees of RSA cryptographic operations performed by jsrsasign. By forcing RSA operations to output zero deterministically, attackers can cause signature verifications to falsely succeed or fail silently, potentially allowing maliciously crafted keys to bypass security checks. This can lead to acceptance of forged signatures, unauthorized data access, or encryption failures. Organizations using jsrsasign in security-critical applications such as authentication, digital signatures, or secure communications risk compromised cryptographic assurances. The local attack vector limits remote exploitation, but insider threats or compromised local environments could exploit this flaw. The lack of user interaction and privileges required increases the risk in multi-tenant or shared environments. Although no active exploits are known, the vulnerability could be leveraged in targeted attacks against systems relying on vulnerable jsrsasign versions, impacting confidentiality, integrity, and availability of sensitive data and services.

To mitigate CVE-2026-4603, organizations should immediately upgrade jsrsasign to version 11.1.1 or later, where the division by zero flaw is fixed. Review all applications and services that use jsrsasign for RSA operations and ensure they are not using vulnerable versions. Implement input validation to reject JWKs with invalid or zero modulus values before processing. Employ runtime monitoring to detect anomalous cryptographic outputs such as deterministic zero results from RSA operations. Restrict local access to environments running jsrsasign to trusted users only, minimizing the risk of local exploitation. Conduct cryptographic integrity checks and audits to identify any suspicious signature verification or encryption anomalies. Consider using alternative well-maintained cryptographic libraries with robust error handling if upgrading is not immediately feasible. Finally, maintain an inventory of cryptographic dependencies and apply security patches promptly to reduce exposure.