{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33996", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-24T22:20:06.214Z", "datePublished": "2026-03-27T22:21:21.465Z", "dateUpdated": "2026-03-31T18:53:51.741Z"}, "containers": {"cna": {"title": "LibJWT has NULL/bounds validation in JWK octet and RSA PSS parsing", "problemTypes": [{"descriptions": [{"cweId": "CWE-476", "lang": "en", "description": "CWE-476: NULL Pointer Dereference", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "ADJACENT", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "LOW", "baseScore": 5.8, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:A/VC:L/VI:L/VA:H/SC:L/SI:L/SA:L", "version": "4.0"}}], "references": [{"name": "https://github.com/benmcollins/libjwt/security/advisories/GHSA-ph96-hqpc-9f66", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/benmcollins/libjwt/security/advisories/GHSA-ph96-hqpc-9f66"}, {"name": "https://github.com/benmcollins/libjwt/commit/cfd890286fa49ae61b534c937c9f0428b5c6034c", "tags": ["x_refsource_MISC"], "url": "https://github.com/benmcollins/libjwt/commit/cfd890286fa49ae61b534c937c9f0428b5c6034c"}], "affected": [{"vendor": "benmcollins", "product": "libjwt", "versions": [{"version": ">= 3.0.0, < 3.3.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T22:21:21.465Z"}, "descriptions": [{"lang": "en", "value": "LibJWT is a C JSON Web Token Library. Starting in version 3.0.0 and prior to version 3.3.0, the JWK parsing for RSA-PSS did not protect against a NULL value when expecting to parse JSON string values. A specially crafted JWK file could exploit this behavior by using integers in places where the code expected a string. This was fixed in v3.3.0. A workaround is available. Users importing keys through a JWK file should not do so from untrusted sources. Use the `jwk2key` tool to check for validity of a JWK file. Likewise, if possible, do not use JWK files with RSA-PSS keys."}], "source": {"advisory": "GHSA-ph96-hqpc-9f66", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-31T18:50:38.575748Z", "id": "CVE-2026-33996", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T18:53:51.741Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33996", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-31T18:50:38.575748Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T18:50:39.588Z"}}], "cna": {"title": "LibJWT has NULL/bounds validation in JWK octet and RSA PSS parsing", "source": {"advisory": "GHSA-ph96-hqpc-9f66", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.8, "attackVector": "ADJACENT", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:A/VC:L/VI:L/VA:H/SC:L/SI:L/SA:L", "userInteraction": "ACTIVE", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "LOW", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "LOW"}}], "affected": [{"vendor": "benmcollins", "product": "libjwt", "versions": [{"status": "affected", "version": ">= 3.0.0, < 3.3.0"}]}], "references": [{"url": "https://github.com/benmcollins/libjwt/security/advisories/GHSA-ph96-hqpc-9f66", "name": "https://github.com/benmcollins/libjwt/security/advisories/GHSA-ph96-hqpc-9f66", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/benmcollins/libjwt/commit/cfd890286fa49ae61b534c937c9f0428b5c6034c", "name": "https://github.com/benmcollins/libjwt/commit/cfd890286fa49ae61b534c937c9f0428b5c6034c", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "LibJWT is a C JSON Web Token Library. Starting in version 3.0.0 and prior to version 3.3.0, the JWK parsing for RSA-PSS did not protect against a NULL value when expecting to parse JSON string values. A specially crafted JWK file could exploit this behavior by using integers in places where the code expected a string. This was fixed in v3.3.0. A workaround is available. Users importing keys through a JWK file should not do so from untrusted sources. Use the `jwk2key` tool to check for validity of a JWK file. Likewise, if possible, do not use JWK files with RSA-PSS keys."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-476", "description": "CWE-476: NULL Pointer Dereference"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T22:21:21.465Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33996", "state": "PUBLISHED", "dateUpdated": "2026-03-31T18:53:51.741Z", "dateReserved": "2026-03-24T22:20:06.214Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-27T22:21:21.465Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:libjwt:libjwt:*:*:*:*:*:*:*:*", "matchCriteriaId": "E81C0065-7F31-461D-8F00-84DE42E4E8A1", "versionEndExcluding": "3.3.0", "versionStartIncluding": "3.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "LibJWT is a C JSON Web Token Library. Starting in version 3.0.0 and prior to version 3.3.0, the JWK parsing for RSA-PSS did not protect against a NULL value when expecting to parse JSON string values. A specially crafted JWK file could exploit this behavior by using integers in places where the code expected a string. This was fixed in v3.3.0. A workaround is available. Users importing keys through a JWK file should not do so from untrusted sources. Use the `jwk2key` tool to check for validity of a JWK file. Likewise, if possible, do not use JWK files with RSA-PSS keys."}], "id": "CVE-2026-33996", "lastModified": "2026-03-31T20:39:06.073", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "attackVector": "ADJACENT", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "LOW", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:A/VC:L/VI:L/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-27T23:17:14.590", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/benmcollins/libjwt/commit/cfd890286fa49ae61b534c937c9f0428b5c6034c"}, {"source": "security-advisories@github.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://github.com/benmcollins/libjwt/security/advisories/GHSA-ph96-hqpc-9f66"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-476"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "LibJWT: LibJWT: Denial of Service via crafted JSON Web Key (JWK) files", "id": "2452531", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2452531"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.9", "cvss3_scoring_vector": "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:H", "status": "draft"}, "cwe": "CWE-476", "details": ["LibJWT is a C JSON Web Token Library. Starting in version 3.0.0 and prior to version 3.3.0, the JWK parsing for RSA-PSS did not protect against a NULL value when expecting to parse JSON string values. A specially crafted JWK file could exploit this behavior by using integers in places where the code expected a string. This was fixed in v3.3.0. A workaround is available. Users importing keys through a JWK file should not do so from untrusted sources. Use the `jwk2key` tool to check for validity of a JWK file. Likewise, if possible, do not use JWK files with RSA-PSS keys.", "A flaw was found in LibJWT, a C JSON Web Token Library. When parsing JSON Web Key (JWK) files for RSA-PSS, the library did not correctly handle cases where NULL values were encountered instead of expected string values. An attacker could exploit this vulnerability by providing a specially crafted JWK file containing integers in fields that anticipate strings. This could lead to a denial of service, impacting the availability of systems using the affected library."], "name": "CVE-2026-33996", "public_date": "2026-03-27T22:21:21Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-33996\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-33996\nhttps://github.com/benmcollins/libjwt/commit/cfd890286fa49ae61b534c937c9f0428b5c6034c\nhttps://github.com/benmcollins/libjwt/security/advisories/GHSA-ph96-hqpc-9f66"], "statement": "The LibJWT is only shipped with community products. The 2.x series and before of LibJWT does not have JWK parsing, so they are not affected.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.0.0,3.3.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "libjwt", "source": "cna", "vendor": "benmcollins"}, "product": "libjwt", "vendor": "benmcollins"}], "analysis": {"en": {"generated_at": "2026-04-01T07:00:05.640810+00:00", "value": {"mitigation_remediation": ["Upgrade libjwt to version 3.3.0 or later to correct the NULL/bounds validation issue.", "Validate JWK files with the provided jwk2key utility before importing them into the application.", "If possible, avoid importing RSA\u2011PSS keys via the JWK format or from untrusted sources."], "summary": {"action": "Patch ASAP", "impact": "Potential crash or unintended memory access when parsing RSA\u2011PSS JWKs"}, "threat_synthesis": {"affected_systems": "The issue affects the benmcollins/libjwt library, specifically releases between version 3.0.0 (inclusive) and 3.2.x (inclusive). Any C or C++ application that links against one of these library versions and processes JWK files containing RSA\u2011PSS keys is vulnerable, including authentication backends, token validators, or any service that imports keys from external sources.", "description_and_impact": "LibJWT contains a vulnerability in the parsing routine for JSON Web Key (JWK) files that use RSA\u2011PSS keys. The code that extracts string values does not validate that the JSON token is indeed a string; if an attacker supplies a numeric value where a string is expected, the routine can dereference a null or out\u2011of\u2011bounds pointer. This flaw is classified as a NULL pointer dereference (CWE\u2011476) and can lead to application crashes or undefined behavior that may damage data integrity if the library is used in a critical context.", "risk_and_exploitability": "The CVSS score of 5.8 indicates medium severity. EPSS is reported as less than 1\u202f%, so the likelihood of exploitation is low, and the vulnerability is not currently listed in the CISA KEV catalog. The likely attack vector is delivery of a specially crafted JWK file to an application that parses it. Attackers would need to supply the file, which is feasible via file upload, network transfer, or embedded content in a document. No public exploits are known, but the undefined behavior could potentially be leveraged for denial of service or memory corruption in untrusted environments."}}}}, "created": "2026-03-29T20:29:25.948726+00:00", "updated": "2026-04-02T07:55:12.599119+00:00", "vendors": ["benmcollins", "benmcollins$PRODUCT$libjwt"]}