CVE-2026-33996: CWE-476: NULL Pointer Dereference in benmcollins libjwt
LibJWT is a C JSON Web Token Library. Starting in version 3.0.0 and prior to version 3.3.0, the JWK parsing for RSA-PSS did not protect against a NULL value when expecting to parse JSON string values. A specially crafted JWK file could exploit this behavior by using integers in places where the code expected a string. This was fixed in v3.3.0. A workaround is available. Users importing keys through a JWK file should not do so from untrusted sources. Use the `jwk2key` tool to check for validity of a JWK file. Likewise, if possible, do not use JWK files with RSA-PSS keys.
AI Analysis
Technical Summary
LibJWT, a C library for JSON Web Tokens, contained a NULL pointer dereference vulnerability (CWE-476) in its JWK parsing logic for RSA-PSS keys in versions 3.0.0 through 3.2.x. The parser did not properly handle cases where integers were provided instead of expected JSON strings, leading to a NULL pointer dereference. This flaw was addressed in libjwt version 3.3.0. The vulnerability requires an attacker to supply a crafted JWK file to trigger the issue. Mitigation includes upgrading to version 3.3.0, validating JWK files with the jwk2key tool, and avoiding untrusted JWK imports or RSA-PSS keys in JWK files.
Potential Impact
The vulnerability can cause a NULL pointer dereference during JWK parsing, potentially leading to application crashes or denial of service when processing maliciously crafted JWK files containing RSA-PSS keys. There is no indication of code execution or data leakage from the provided information. Exploitation requires the attacker to provide a specially crafted JWK file and user interaction to import such keys.
Mitigation Recommendations
A fix is available in libjwt version 3.3.0. Users should upgrade to this version to remediate the vulnerability. Until upgrading, users should avoid importing JWK files from untrusted sources, use the jwk2key tool to validate JWK files before import, and if possible, avoid using JWK files with RSA-PSS keys. These steps reduce the risk of triggering the NULL pointer dereference.
CVE-2026-33996: CWE-476: NULL Pointer Dereference in benmcollins libjwt
Description
LibJWT is a C JSON Web Token Library. Starting in version 3.0.0 and prior to version 3.3.0, the JWK parsing for RSA-PSS did not protect against a NULL value when expecting to parse JSON string values. A specially crafted JWK file could exploit this behavior by using integers in places where the code expected a string. This was fixed in v3.3.0. A workaround is available. Users importing keys through a JWK file should not do so from untrusted sources. Use the `jwk2key` tool to check for validity of a JWK file. Likewise, if possible, do not use JWK files with RSA-PSS keys.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
LibJWT, a C library for JSON Web Tokens, contained a NULL pointer dereference vulnerability (CWE-476) in its JWK parsing logic for RSA-PSS keys in versions 3.0.0 through 3.2.x. The parser did not properly handle cases where integers were provided instead of expected JSON strings, leading to a NULL pointer dereference. This flaw was addressed in libjwt version 3.3.0. The vulnerability requires an attacker to supply a crafted JWK file to trigger the issue. Mitigation includes upgrading to version 3.3.0, validating JWK files with the jwk2key tool, and avoiding untrusted JWK imports or RSA-PSS keys in JWK files.
Potential Impact
The vulnerability can cause a NULL pointer dereference during JWK parsing, potentially leading to application crashes or denial of service when processing maliciously crafted JWK files containing RSA-PSS keys. There is no indication of code execution or data leakage from the provided information. Exploitation requires the attacker to provide a specially crafted JWK file and user interaction to import such keys.
Mitigation Recommendations
A fix is available in libjwt version 3.3.0. Users should upgrade to this version to remediate the vulnerability. Until upgrading, users should avoid importing JWK files from untrusted sources, use the jwk2key tool to validate JWK files before import, and if possible, avoid using JWK files with RSA-PSS keys. These steps reduce the risk of triggering the NULL pointer dereference.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-24T22:20:06.214Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 69c706502b68dbd88e324705
Added to database: 3/27/2026, 10:36:00 PM
Last enriched: 4/4/2026, 10:51:22 AM
Last updated: 5/11/2026, 5:25:05 AM
Views: 82
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.