Skip to main content

Red Hat CVE-2026-33996

MEDIUM
NULL Pointer Dereference (CWE-476)
2026-03-27 GitHub_M
5.8
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.8 MEDIUM
CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:A/VC:L/VI:L/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Red Hat
5.9 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:A/VC:L/VI:L/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Adjacent
Attack Complexity
High
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

2
Analysis Generated
Mar 27, 2026 - 22:46 vuln.today
CVE Published
Mar 27, 2026 - 22:21 nvd
MEDIUM 5.8

DescriptionGitHub Advisory

LibJWT is a C JSON Web Token Library. Starting in version 3.0.0 and prior to version 3.3.0, the JWK parsing for RSA-PSS did not protect against a NULL value when expecting to parse JSON string values. A specially crafted JWK file could exploit this behavior by using integers in places where the code expected a string. This was fixed in v3.3.0. A workaround is available. Users importing keys through a JWK file should not do so from untrusted sources. Use the jwk2key tool to check for validity of a JWK file. Likewise, if possible, do not use JWK files with RSA-PSS keys.

AnalysisAI

LibJWT versions 3.0.0 through 3.2.x are vulnerable to denial of service through a NULL pointer dereference in RSA-PSS JWK parsing. When processing specially crafted JWK files that substitute integers for expected string values, the library fails to validate input types, causing a crash. This affects applications that import RSA-PSS keys from JWK files, particularly those handling untrusted key sources. No public exploit code has been identified; patch 3.3.0 resolves the issue.

Technical ContextAI

LibJWT is a C-based implementation of JSON Web Token (JWT) standards, which rely on JSON Web Key (JWK) format for cryptographic key exchange. The vulnerability stems from insufficient type validation during JWK deserialization for RSA-PSS (RSA Probabilistic Signature Scheme) keys. CWE-476 (NULL pointer dereference) indicates the code path fails to verify that parsed JSON values are of the expected string type before dereferencing pointers, allowing an attacker to trigger undefined behavior by providing integers in place of string fields. The RSA-PSS algorithm is used for high-assurance digital signatures, making key import a critical security boundary. The flaw is rooted in the library's JWK parsing logic, which was refactored in version 3.0.0 and remained vulnerable through 3.2.x.

RemediationAI

Vendor-released patch: LibJWT 3.3.0. Upgrade immediately if your application uses RSA-PSS JWK import. If upgrading is not immediately feasible, implement a workaround: do not import RSA-PSS keys from JWK files, particularly untrusted sources; instead, use pre-provisioned RSA-PSS keys or alternative key exchange mechanisms. Validate all JWK input using the jwk2key utility provided by LibJWT before processing to detect malformed files. For applications in development, enforce strict code review of JWK parsing paths. See https://github.com/benmcollins/libjwt/security/advisories/GHSA-ph96-hqpc-9f66 for detailed vendor remediation guidance.

Vendor StatusVendor

Share

CVE-2026-33996 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy