{"id":"CVE-2026-33996","summary":"LibJWT has NULL/bounds validation in JWK octet and RSA PSS parsing","details":"LibJWT is a C JSON Web Token Library. Starting in version 3.0.0 and prior to version 3.3.0, the JWK parsing for RSA-PSS did not protect against a NULL value when expecting to parse JSON string values. A specially crafted JWK file could exploit this behavior by using integers in places where the code expected a string. This was fixed in v3.3.0. A workaround is available. Users importing keys through a JWK file should not do so from untrusted sources. Use the `jwk2key` tool to check for validity of a JWK file. Likewise, if possible, do not use JWK files with RSA-PSS keys.","aliases":["GHSA-ph96-hqpc-9f66"],"modified":"2026-04-02T13:41:39.197124Z","published":"2026-03-27T22:21:21.465Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33996.json","cwe_ids":["CWE-476"],"cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33996.json"},{"type":"FIX","url":"https://github.com/benmcollins/libjwt/commit/cfd890286fa49ae61b534c937c9f0428b5c6034c"},{"type":"ADVISORY","url":"https://github.com/benmcollins/libjwt/security/advisories/GHSA-ph96-hqpc-9f66"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33996"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/benmcollins/libjwt","events":[{"introduced":"97bb1e5cdd0c47e3d60eb7c44c7214ff4ad7b4c4"},{"fixed":"aca2229ecf56f6f64a1a2d505f48aaca15907628"}],"database_specific":{"versions":[{"introduced":"3.0.0"},{"fixed":"3.3.0"}]}}],"versions":["v3.0.0","v3.1.0","v3.2.0","v3.2.1","v3.2.2","v3.2.3"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33996.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:A/VC:L/VI:L/VA:H/SC:L/SI:L/SA:L"}]}