CVE-2026-33996

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-33996
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33996.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-33996
Aliases
  • GHSA-ph96-hqpc-9f66
Downstream
Published
2026-03-27T22:21:21.465Z
Modified
2026-04-02T13:41:39.197124Z
Severity
  • 5.8 (Medium) CVSS_V4 - CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:A/VC:L/VI:L/VA:H/SC:L/SI:L/SA:L CVSS Calculator
Summary
LibJWT has NULL/bounds validation in JWK octet and RSA PSS parsing
Details

LibJWT is a C JSON Web Token Library. Starting in version 3.0.0 and prior to version 3.3.0, the JWK parsing for RSA-PSS did not protect against a NULL value when expecting to parse JSON string values. A specially crafted JWK file could exploit this behavior by using integers in places where the code expected a string. This was fixed in v3.3.0. A workaround is available. Users importing keys through a JWK file should not do so from untrusted sources. Use the jwk2key tool to check for validity of a JWK file. Likewise, if possible, do not use JWK files with RSA-PSS keys.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33996.json",
    "cwe_ids": [
        "CWE-476"
    ],
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/benmcollins/libjwt

Affected ranges

Type
GIT
Repo
https://github.com/benmcollins/libjwt
Events
Introduced
97bb1e5cdd0c47e3d60eb7c44c7214ff4ad7b4c4
Fixed
aca2229ecf56f6f64a1a2d505f48aaca15907628
Database specific 
{
    "versions": [
        {
            "introduced": "3.0.0"
        },
        {
            "fixed": "3.3.0"
        }
    ]
}

Affected versions

v3.*
v3.0.0
v3.1.0
v3.2.0
v3.2.1
v3.2.2
v3.2.3

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33996.json"