CVE-2026-33996
Received Received - Intake
Null Pointer Dereference in LibJWT JWK Parsing (RSA-PSS

Publication date: 2026-03-27

Last updated on: 2026-03-31

Assigner: GitHub, Inc.

Description
LibJWT is a C JSON Web Token Library. Starting in version 3.0.0 and prior to version 3.3.0, the JWK parsing for RSA-PSS did not protect against a NULL value when expecting to parse JSON string values. A specially crafted JWK file could exploit this behavior by using integers in places where the code expected a string. This was fixed in v3.3.0. A workaround is available. Users importing keys through a JWK file should not do so from untrusted sources. Use the `jwk2key` tool to check for validity of a JWK file. Likewise, if possible, do not use JWK files with RSA-PSS keys.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-27
Last Modified
2026-03-31
Generated
2026-06-16
AI Q&A
2026-03-28
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33996
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
libjwt libjwt From 3.0.0 (inc) to 3.3.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in LibJWT, a C JSON Web Token Library, specifically in versions starting from 3.0.0 up to but not including 3.3.0. The issue is in the JWK parsing for RSA-PSS keys, where the code did not properly handle NULL values when it expected JSON string values. An attacker could exploit this by crafting a JWK file that uses integers where strings are expected, potentially causing unexpected behavior.

This flaw was fixed in version 3.3.0. A workaround involves avoiding importing keys from untrusted JWK files and using the `jwk2key` tool to validate JWK files. It is also recommended to avoid using JWK files with RSA-PSS keys if possible.

Impact Analysis

Exploiting this vulnerability could lead to improper parsing of JWK files, which might allow an attacker to bypass expected validation or cause the application to behave incorrectly when handling RSA-PSS keys. This could potentially compromise the security of token verification or key handling processes.

Detection Guidance

This vulnerability can be detected by checking the validity of JWK files used for importing keys, especially those involving RSA-PSS keys. The recommended method is to use the `jwk2key` tool to verify the validity of a JWK file.

Users should look for JWK files that contain integers where strings are expected, as this is the core issue exploited by the vulnerability.

No specific network or system commands are provided in the available information.

Mitigation Strategies

Immediate mitigation steps include upgrading LibJWT to version 3.3.0 or later, where the vulnerability has been fixed.

As a workaround, avoid importing keys through JWK files from untrusted sources.

If possible, avoid using JWK files with RSA-PSS keys until the library is updated.

Use the `jwk2key` tool to check the validity of JWK files before importing them.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33996. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart