Red Hat CVE-2026-33996
MEDIUMSeverity by source
CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:A/VC:L/VI:L/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:A/VC:L/VI:L/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionGitHub Advisory
LibJWT is a C JSON Web Token Library. Starting in version 3.0.0 and prior to version 3.3.0, the JWK parsing for RSA-PSS did not protect against a NULL value when expecting to parse JSON string values. A specially crafted JWK file could exploit this behavior by using integers in places where the code expected a string. This was fixed in v3.3.0. A workaround is available. Users importing keys through a JWK file should not do so from untrusted sources. Use the jwk2key tool to check for validity of a JWK file. Likewise, if possible, do not use JWK files with RSA-PSS keys.
AnalysisAI
LibJWT versions 3.0.0 through 3.2.x are vulnerable to denial of service through a NULL pointer dereference in RSA-PSS JWK parsing. When processing specially crafted JWK files that substitute integers for expected string values, the library fails to validate input types, causing a crash. This affects applications that import RSA-PSS keys from JWK files, particularly those handling untrusted key sources. No public exploit code has been identified; patch 3.3.0 resolves the issue.
Technical ContextAI
LibJWT is a C-based implementation of JSON Web Token (JWT) standards, which rely on JSON Web Key (JWK) format for cryptographic key exchange. The vulnerability stems from insufficient type validation during JWK deserialization for RSA-PSS (RSA Probabilistic Signature Scheme) keys. CWE-476 (NULL pointer dereference) indicates the code path fails to verify that parsed JSON values are of the expected string type before dereferencing pointers, allowing an attacker to trigger undefined behavior by providing integers in place of string fields. The RSA-PSS algorithm is used for high-assurance digital signatures, making key import a critical security boundary. The flaw is rooted in the library's JWK parsing logic, which was refactored in version 3.0.0 and remained vulnerable through 3.2.x.
RemediationAI
Vendor-released patch: LibJWT 3.3.0. Upgrade immediately if your application uses RSA-PSS JWK import. If upgrading is not immediately feasible, implement a workaround: do not import RSA-PSS keys from JWK files, particularly untrusted sources; instead, use pre-provisioned RSA-PSS keys or alternative key exchange mechanisms. Validate all JWK input using the jwk2key utility provided by LibJWT before processing to detect malformed files. For applications in development, enforce strict code review of JWK parsing paths. See https://github.com/benmcollins/libjwt/security/advisories/GHSA-ph96-hqpc-9f66 for detailed vendor remediation guidance.
Same weakness CWE-476 – NULL Pointer Dereference
View allSame technique Null Pointer Dereference
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today