DEBIAN-CVE-2026-33996

See a problem?
Please try reporting it to the source first.
Source
https://security-tracker.debian.org/tracker/CVE-2026-33996
Import Source
https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-33996.json
JSON Data
https://api.osv.dev/v1/vulns/DEBIAN-CVE-2026-33996
Upstream
Published
2026-03-27T23:17:14.590Z
Modified
2026-04-01T08:00:08.285659Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

LibJWT is a C JSON Web Token Library. Starting in version 3.0.0 and prior to version 3.3.0, the JWK parsing for RSA-PSS did not protect against a NULL value when expecting to parse JSON string values. A specially crafted JWK file could exploit this behavior by using integers in places where the code expected a string. This was fixed in v3.3.0. A workaround is available. Users importing keys through a JWK file should not do so from untrusted sources. Use the jwk2key tool to check for validity of a JWK file. Likewise, if possible, do not use JWK files with RSA-PSS keys.

References

Affected packages

Debian:14 / libjwt3

Package

Name
libjwt3
Purl
pkg:deb/debian/libjwt3?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.3.2-1

Affected versions

3.*
3.2.2-1
3.2.3-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-33996.json"