LibJWT is a C library used for handling JSON Web Tokens (JWTs), which are widely employed for authentication and authorization in modern applications. CVE-2026-33996 identifies a NULL pointer dereference vulnerability in libjwt versions from 3.0.0 up to but not including 3.3.0. The flaw occurs specifically in the JSON Web Key (JWK) parsing logic for RSA-PSS keys. When parsing JWK files, the library expects certain fields to be JSON strings; however, if an attacker crafts a JWK file that uses integers instead of strings, the parser does not properly check for NULL pointers before dereferencing them. This leads to a NULL pointer dereference, which typically results in a crash of the application using libjwt, causing a denial of service (DoS). The vulnerability requires an attacker to supply a malicious JWK file, which implies some level of user interaction or network access to provide the file. The CVSS 4.0 base score is 5.8 (medium), reflecting that the attack vector is adjacent network (AV:A), requires high attack complexity (AC:H), privileges are not required (PR:N), but user interaction is needed (UI:A). The impact on confidentiality and integrity is low, but availability impact is high due to potential crashes. No known exploits have been reported in the wild, and the issue was fixed in libjwt version 3.3.0. A recommended workaround is to validate JWK files using the jwk2key tool before importing and to avoid using RSA-PSS keys in JWK files if possible.

The primary impact of this vulnerability is denial of service through application crashes when processing maliciously crafted JWK files containing RSA-PSS keys. Organizations relying on libjwt for JWT validation and key management, especially those importing JWK files from external or untrusted sources, face risks of service disruption. This can affect authentication services, API gateways, and other security-critical components that depend on JWTs for access control. While the vulnerability does not directly expose sensitive data or allow code execution, the resulting downtime or service unavailability could lead to operational disruptions, degraded user experience, and potential cascading failures in dependent systems. Attackers with the ability to supply malicious JWK files could exploit this to disrupt services or cause denial of service conditions. Given the medium severity and the requirement for user interaction or file import, the risk is moderate but should not be underestimated in high-security environments.

To mitigate this vulnerability, organizations should upgrade libjwt to version 3.3.0 or later where the issue is fixed. Until upgrading is possible, implement strict validation of all JWK files before importing them, using the jwk2key tool provided by the vendor to detect malformed or malicious keys. Avoid importing JWK files from untrusted or unauthenticated sources, and if possible, refrain from using RSA-PSS keys in JWK files. Incorporate input validation and sanitization controls in the application layer to detect and reject malformed JWK inputs. Monitor application logs for crashes or abnormal behavior related to JWT processing. Consider isolating JWT parsing components in sandboxed environments to limit the impact of potential crashes. Finally, maintain an inventory of all systems using libjwt and ensure patch management policies prioritize this update.