{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33996", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-24T22:20:06.214Z", "datePublished": "2026-03-27T22:21:21.465Z", "dateUpdated": "2026-03-31T18:53:51.741Z"}, "containers": {"cna": {"title": "LibJWT has NULL/bounds validation in JWK octet and RSA PSS parsing", "problemTypes": [{"descriptions": [{"cweId": "CWE-476", "lang": "en", "description": "CWE-476: NULL Pointer Dereference", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "ADJACENT", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "LOW", "baseScore": 5.8, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:A/VC:L/VI:L/VA:H/SC:L/SI:L/SA:L", "version": "4.0"}}], "references": [{"name": "https://github.com/benmcollins/libjwt/security/advisories/GHSA-ph96-hqpc-9f66", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/benmcollins/libjwt/security/advisories/GHSA-ph96-hqpc-9f66"}, {"name": "https://github.com/benmcollins/libjwt/commit/cfd890286fa49ae61b534c937c9f0428b5c6034c", "tags": ["x_refsource_MISC"], "url": "https://github.com/benmcollins/libjwt/commit/cfd890286fa49ae61b534c937c9f0428b5c6034c"}], "affected": [{"vendor": "benmcollins", "product": "libjwt", "versions": [{"version": ">= 3.0.0, < 3.3.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T22:21:21.465Z"}, "descriptions": [{"lang": "en", "value": "LibJWT is a C JSON Web Token Library. Starting in version 3.0.0 and prior to version 3.3.0, the JWK parsing for RSA-PSS did not protect against a NULL value when expecting to parse JSON string values. A specially crafted JWK file could exploit this behavior by using integers in places where the code expected a string. This was fixed in v3.3.0. A workaround is available. Users importing keys through a JWK file should not do so from untrusted sources. Use the `jwk2key` tool to check for validity of a JWK file. Likewise, if possible, do not use JWK files with RSA-PSS keys."}], "source": {"advisory": "GHSA-ph96-hqpc-9f66", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-31T18:50:38.575748Z", "id": "CVE-2026-33996", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T18:53:51.741Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33996", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-31T18:50:38.575748Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T18:50:39.588Z"}}], "cna": {"title": "LibJWT has NULL/bounds validation in JWK octet and RSA PSS parsing", "source": {"advisory": "GHSA-ph96-hqpc-9f66", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.8, "attackVector": "ADJACENT", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:A/VC:L/VI:L/VA:H/SC:L/SI:L/SA:L", "userInteraction": "ACTIVE", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "LOW", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "LOW"}}], "affected": [{"vendor": "benmcollins", "product": "libjwt", "versions": [{"status": "affected", "version": ">= 3.0.0, < 3.3.0"}]}], "references": [{"url": "https://github.com/benmcollins/libjwt/security/advisories/GHSA-ph96-hqpc-9f66", "name": "https://github.com/benmcollins/libjwt/security/advisories/GHSA-ph96-hqpc-9f66", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/benmcollins/libjwt/commit/cfd890286fa49ae61b534c937c9f0428b5c6034c", "name": "https://github.com/benmcollins/libjwt/commit/cfd890286fa49ae61b534c937c9f0428b5c6034c", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "LibJWT is a C JSON Web Token Library. Starting in version 3.0.0 and prior to version 3.3.0, the JWK parsing for RSA-PSS did not protect against a NULL value when expecting to parse JSON string values. A specially crafted JWK file could exploit this behavior by using integers in places where the code expected a string. This was fixed in v3.3.0. A workaround is available. Users importing keys through a JWK file should not do so from untrusted sources. Use the `jwk2key` tool to check for validity of a JWK file. Likewise, if possible, do not use JWK files with RSA-PSS keys."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-476", "description": "CWE-476: NULL Pointer Dereference"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T22:21:21.465Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33996", "state": "PUBLISHED", "dateUpdated": "2026-03-31T18:53:51.741Z", "dateReserved": "2026-03-24T22:20:06.214Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-27T22:21:21.465Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:libjwt:libjwt:*:*:*:*:*:*:*:*", "matchCriteriaId": "E81C0065-7F31-461D-8F00-84DE42E4E8A1", "versionEndExcluding": "3.3.0", "versionStartIncluding": "3.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "LibJWT is a C JSON Web Token Library. Starting in version 3.0.0 and prior to version 3.3.0, the JWK parsing for RSA-PSS did not protect against a NULL value when expecting to parse JSON string values. A specially crafted JWK file could exploit this behavior by using integers in places where the code expected a string. This was fixed in v3.3.0. A workaround is available. Users importing keys through a JWK file should not do so from untrusted sources. Use the `jwk2key` tool to check for validity of a JWK file. Likewise, if possible, do not use JWK files with RSA-PSS keys."}], "id": "CVE-2026-33996", "lastModified": "2026-03-31T20:39:06.073", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "attackVector": "ADJACENT", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "LOW", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:A/VC:L/VI:L/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-27T23:17:14.590", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/benmcollins/libjwt/commit/cfd890286fa49ae61b534c937c9f0428b5c6034c"}, {"source": "security-advisories@github.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://github.com/benmcollins/libjwt/security/advisories/GHSA-ph96-hqpc-9f66"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-476"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "LibJWT: LibJWT: Denial of Service via crafted JSON Web Key (JWK) files", "id": "2452531", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2452531"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.9", "cvss3_scoring_vector": "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:H", "status": "draft"}, "cwe": "CWE-476", "details": ["LibJWT is a C JSON Web Token Library. Starting in version 3.0.0 and prior to version 3.3.0, the JWK parsing for RSA-PSS did not protect against a NULL value when expecting to parse JSON string values. A specially crafted JWK file could exploit this behavior by using integers in places where the code expected a string. This was fixed in v3.3.0. A workaround is available. Users importing keys through a JWK file should not do so from untrusted sources. Use the `jwk2key` tool to check for validity of a JWK file. Likewise, if possible, do not use JWK files with RSA-PSS keys.", "A flaw was found in LibJWT, a C JSON Web Token Library. When parsing JSON Web Key (JWK) files for RSA-PSS, the library did not correctly handle cases where NULL values were encountered instead of expected string values. An attacker could exploit this vulnerability by providing a specially crafted JWK file containing integers in fields that anticipate strings. This could lead to a denial of service, impacting the availability of systems using the affected library."], "name": "CVE-2026-33996", "public_date": "2026-03-27T22:21:21Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-33996\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-33996\nhttps://github.com/benmcollins/libjwt/commit/cfd890286fa49ae61b534c937c9f0428b5c6034c\nhttps://github.com/benmcollins/libjwt/security/advisories/GHSA-ph96-hqpc-9f66"], "statement": "The LibJWT is only shipped with community products. The 2.x series and before of LibJWT does not have JWK parsing, so they are not affected.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.0.0,3.3.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "libjwt", "source": "cna", "vendor": "benmcollins"}, "product": "libjwt", "vendor": "benmcollins"}], "analysis": {"en": {"generated_at": "2026-03-28T05:50:05.143368+00:00", "value": {"mitigation_remediation": ["Upgrade LibJWT to version 3.3.0 or later", "If an upgrade is not possible, avoid importing JWK files from untrusted sources", "Employ the jwk2key tool to validate JWK files prior to use"], "summary": {"action": "Patch", "impact": "Memory Corruption / Denial of Service"}, "threat_synthesis": {"affected_systems": "BenCollins\u2019 LibJWT library is affected. Versions from 3.0.0 up to, but not including, 3.3.0 are vulnerable. These releases are used in many C projects that integrate JWT functionality. No other vendors or products are listed in CNA data.", "description_and_impact": "A null pointer dereference occurs when LibJWT parses a JWK file containing a RSA-PSS key that uses integers where the code expects JSON strings. The improper validation leads the library to dereference a NULL or uninitialized value, potentially causing a crash or unpredictable behavior. The vulnerability is categorized as a NULL pointer dereference and could allow an attacker to trigger a denial of service in the parsing process, or in some contexts to influence downstream cryptographic operations. The impact is limited to the library's parsing routine but may disrupt applications that rely on LibJWT for token validation.", "risk_and_exploitability": "The CVSS score of 5.8 indicates moderate severity. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector involves an attacker supplying a crafted JWK file to a vulnerable application that imports keys via JWK, leading to a corruption of the library\u2019s internal state. Exploitation depends on the application\u2019s handling of the result, but a forced crash is the most consistent outcome observable from the provided description."}}}}, "created": "2026-03-29T20:29:25.948726+00:00", "updated": "2026-03-30T06:59:54.468736+00:00", "vendors": ["benmcollins", "benmcollins$PRODUCT$libjwt"]}