Description
LibJWT is a C JSON Web Token Library. Starting in version 3.0.0 and prior to version 3.3.0, the JWK parsing for RSA-PSS did not protect against a NULL value when expecting to parse JSON string values. A specially crafted JWK file could exploit this behavior by using integers in places where the code expected a string. This was fixed in v3.3.0. A workaround is available. Users importing keys through a JWK file should not do so from untrusted sources. Use the `jwk2key` tool to check for validity of a JWK file. Likewise, if possible, do not use JWK files with RSA-PSS keys.
Published: 2026-03-27
Score: 5.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Potential crash or unintended memory access when parsing RSA‑PSS JWKs
Action: Patch ASAP
AI Analysis

Impact

LibJWT contains a vulnerability in the parsing routine for JSON Web Key (JWK) files that use RSA‑PSS keys. The code that extracts string values does not validate that the JSON token is indeed a string; if an attacker supplies a numeric value where a string is expected, the routine can dereference a null or out‑of‑bounds pointer. This flaw is classified as a NULL pointer dereference (CWE‑476) and can lead to application crashes or undefined behavior that may damage data integrity if the library is used in a critical context.

Affected Systems

The issue affects the benmcollins/libjwt library, specifically releases between version 3.0.0 (inclusive) and 3.2.x (inclusive). Any C or C++ application that links against one of these library versions and processes JWK files containing RSA‑PSS keys is vulnerable, including authentication backends, token validators, or any service that imports keys from external sources.

Risk and Exploitability

The CVSS score of 5.8 indicates medium severity. EPSS is reported as less than 1 %, so the likelihood of exploitation is low, and the vulnerability is not currently listed in the CISA KEV catalog. The likely attack vector is delivery of a specially crafted JWK file to an application that parses it. Attackers would need to supply the file, which is feasible via file upload, network transfer, or embedded content in a document. No public exploits are known, but the undefined behavior could potentially be leveraged for denial of service or memory corruption in untrusted environments.

Generated by OpenCVE AI on April 1, 2026 at 07:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade libjwt to version 3.3.0 or later to correct the NULL/bounds validation issue.
  • Validate JWK files with the provided jwk2key utility before importing them into the application.
  • If possible, avoid importing RSA‑PSS keys via the JWK format or from untrusted sources.

Generated by OpenCVE AI on April 1, 2026 at 07:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Libjwt
Libjwt libjwt
CPEs cpe:2.3:a:libjwt:libjwt:*:*:*:*:*:*:*:*
Vendors & Products Libjwt
Libjwt libjwt
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:H'}

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

Tue, 31 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Benmcollins
Benmcollins libjwt
Vendors & Products Benmcollins
Benmcollins libjwt

Sun, 29 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:H'}

threat_severity

Moderate

Sat, 28 Mar 2026 03:15:00 +0000

Type Values Removed Values Added
Description LibJWT is a C JSON Web Token Library. Starting in version 3.0.0 and prior to version 3.3.0, the JWK parsing for RSA-PSS did not protect against a NULL value when expecting to parse JSON string values. A specially crafted JWK file could exploit this behavior by using integers in places where the code expected a string. This was fixed in v3.3.0. A workaround is available. Users importing keys through a JWK file should not do so from untrusted sources. Use the `jwk2key` tool to check for validity of a JWK file. Likewise, if possible, do not use JWK files with RSA-PSS keys.
Title LibJWT has NULL/bounds validation in JWK octet and RSA PSS parsing
Weaknesses CWE-476
References
Metrics cvssV4_0

{'score': 5.8, 'vector': 'CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:A/VC:L/VI:L/VA:H/SC:L/SI:L/SA:L'}

Subscriptions

Benmcollins Libjwt
Libjwt Libjwt
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-31T18:53:51.741Z

Reserved: 2026-03-24T22:20:06.214Z

Link: CVE-2026-33996

cve-icon Vulnrichment

Updated: 2026-03-31T18:50:39.588Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-27T23:17:14.590

Modified: 2026-03-31T20:39:06.073

Link: CVE-2026-33996

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-27T22:21:21Z

Links: CVE-2026-33996 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T07:55:12Z

Weaknesses