CVE-2026-4598
Versions of the package jsrsasign before 11.1.1 are vulnerable to Infinite loop via the bnModInverse function in ext/jsbn2.js when the BigIn
CVSS
7.5
High
EPSS
0.6%
p42
KEV
—
Exploit Today
13
0-100
Published: Mar 23, 2026 · Last modified: Jul 15, 2026 · CWE-835 · CWE-1287
0.6%EPSS · 30 days0.6%
2026-06-302026-07-16
Versions of the package jsrsasign before 11.1.1 are vulnerable to Infinite loop via the bnModInverse function in ext/jsbn2.js when the BigInteger.modInverse implementation receives zero or negative inputs, allowing an attacker to hang the process permanently by supplying such crafted values (e.g., modInverse(0, m) or modInverse(-1, m)).
- gist.github.comhttps://gist.github.com/Kr0emer/a1bf5cd4547cc630d2dcc5e761de8264
- github.comhttps://github.com/kjur/jsrsasign/commit/ca5b027240287a1e71fe63019fc4400332594323
- github.comhttps://github.com/kjur/jsrsasign/pull/648
- security.snyk.iohttps://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-15812263
- security.snyk.iohttps://security.snyk.io/vuln/SNYK-JS-JSRSASIGN-15370938
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:19375
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:19409
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:19410
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:22840
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:23361
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:6568
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:6720
- access.redhat.comhttps://access.redhat.com/security/cve/CVE-2026-4598
- bugzilla.redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=2450210
- security.access.redhat.comhttps://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-4598.json
CVECVSSEPSSKEVRExploitTitleMod.
CVE-2026-48907.5 HIG93.6%
——28A Denial of Service (DoS) vulnerability in the DNSSEC validation of dnsmasq allows remote attackers to cause a denial of service via a crafted DNS packet.2dCVE-2026-256397.5 HIG82.9%
——25Axios is a promise based HTTP client for the browser and Node.js. Prior to versions 0.30.3 and 1.13.5, the mergeConfig function in axios crashes with a TypeError when processing configuration objects containing __proto__ as an own property. An attacker can trigger this by providing a malicious configuration object created via JSON.parse(), causing complete denial of service. This vulnerability is fixed in versions 0.30.3 and 1.13.5.15hCVE-2026-428997.5 HIG82.4%
——25Loop with unreachable exit condition ('infinite loop') in ASP.NET Core allows an unauthorized attacker to deny service over a network.2dCVE-2026-331167.5 HIG80.0%
——24Loop with unreachable exit condition ('infinite loop') in .NET, .NET Framework, Visual Studio allows an unauthorized attacker to deny service over a network.2dCVE-2026-465227.5 HIG76.7%
——23ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2.23 and 6.9.13-48, due to a missing check in the MIFF decoder, a crafted file could cause an infinite loop resulting in CPU exhaustion. Versions 7.1.2.23 and 6.9.13-48 fix the issue.2dCVE-2026-59467.5 HIG76.2%
——23Multiple flaws have been identified in `named` related to the handling of DNS messages whose CLASS is not Internet (`IN`) — for example, `CHAOS` or `HESIOD`, or DNS messages that specify meta-classes (`ANY` or `NONE`) in the question section. Specially crafted requests reaching the affected code paths — recursion, dynamic updates (`UPDATE`), zone change notifications (`NOTIFY`), or processing of `IN`-specific record types in non-`IN` data — can cause assertion failures in `named`.
This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.2d