CVE-2026-33996 Overview
CVE-2026-33996 is a NULL Pointer Dereference vulnerability in LibJWT, a C JSON Web Token Library. Starting in version 3.0.0 and prior to version 3.3.0, the JWK parsing for RSA-PSS did not protect against a NULL value when expecting to parse JSON string values. A specially crafted JWK file could exploit this behavior by using integers in places where the code expected a string, leading to application crashes or potential denial of service conditions.
Critical Impact
Applications using LibJWT to parse untrusted JWK files with RSA-PSS keys are vulnerable to crashes through malformed input, potentially causing service disruption.
Affected Products
- LibJWT versions >= 3.0.0 and < 3.3.0
- Applications using LibJWT for JWK parsing with RSA-PSS key support
- Systems processing JWK files from untrusted sources
Discovery Timeline
- 2026-03-27 - CVE CVE-2026-33996 published to NVD
- 2026-03-31 - Last updated in NVD database
Technical Details for CVE-2026-33996
Vulnerability Analysis
This vulnerability exists in LibJWT's JSON Web Key (JWK) parsing functionality, specifically when handling RSA-PSS cryptographic keys. The flaw occurs because the parser fails to validate that expected JSON string values are actually strings before dereferencing them. When the parser encounters an integer value where a string is expected, it attempts to process this data without proper type checking, resulting in a NULL pointer dereference.
The vulnerability is classified as CWE-476 (NULL Pointer Dereference), which occurs when an application dereferences a pointer that it expects to be valid but is actually NULL. In this case, the parsing logic does not adequately verify the JSON value types before attempting string operations.
Root Cause
The root cause stems from insufficient input validation in the JWK parsing routines for RSA-PSS keys. The code assumes that certain JSON fields will always contain string values as per the JWK specification. However, when processing a maliciously crafted JWK file that contains integer values instead of the expected strings, the parsing function returns NULL, which is then dereferenced without a safety check.
Attack Vector
The attack requires an adversary to craft a malicious JWK file with type-confused values (integers where strings are expected) and have the target application parse this file. The attack vector is categorized as Adjacent Network, requiring some level of proximity or access to provide the malicious input. User interaction is required to trigger the vulnerability, as the victim application must actively import or process the attacker-supplied JWK file.
The exploitation chain involves:
- Attacker creates a malformed JWK file with RSA-PSS key parameters containing integers instead of strings
- The victim application imports this JWK file for key processing
- The LibJWT parser encounters the unexpected integer type and returns NULL
- The code attempts to dereference the NULL pointer, causing a crash
The vulnerability mechanism involves improper type checking in the JSON parsing logic. When the parser expects a string value for RSA-PSS key parameters but receives an integer, it fails to handle this type mismatch gracefully. For technical implementation details, see the GitHub Security Advisory.
Detection Methods for CVE-2026-33996
Indicators of Compromise
- Application crashes or segmentation faults when processing JWK files
- Unexpected service terminations in JWT-based authentication systems
- Core dumps showing NULL pointer access in LibJWT parsing functions
- Error logs indicating malformed JWK file processing attempts
Detection Strategies
- Monitor application logs for segmentation faults or abnormal terminations related to JWT processing
- Implement input validation to detect malformed JWK files before they reach the LibJWT parser
- Use static analysis tools to identify LibJWT version dependencies in your codebase
- Deploy file integrity monitoring on systems that store JWK files
Monitoring Recommendations
- Enable crash reporting and analyze core dumps for LibJWT-related NULL pointer dereferences
- Implement rate limiting on endpoints that accept JWK file uploads
- Monitor for unusual patterns in JWT authentication failures that may indicate exploitation attempts
- Set up alerts for LibJWT-related error messages in application logs
How to Mitigate CVE-2026-33996
Immediate Actions Required
- Upgrade LibJWT to version 3.3.0 or later immediately
- Audit all applications using LibJWT to identify vulnerable versions
- Restrict JWK file imports to trusted sources only until patching is complete
- Use the jwk2key tool to validate JWK files before importing them
Patch Information
The vulnerability has been fixed in LibJWT version 3.3.0. The fix adds proper NULL value checks when parsing JSON string values in RSA-PSS JWK handling. The security patch is available through the official commit. Users should update their LibJWT dependency to version 3.3.0 or newer to remediate this vulnerability.
Workarounds
- Do not import JWK files from untrusted or unverified sources
- Use the jwk2key utility to check for validity of JWK files before processing
- If possible, avoid using JWK files with RSA-PSS keys until the patch can be applied
- Implement application-level input validation to reject malformed JWK structures before LibJWT processing
# Configuration example
# Validate JWK file before importing
jwk2key --check /path/to/untrusted.jwk
# Update LibJWT to patched version
# For systems using package managers:
apt-get update && apt-get install libjwt>=3.3.0
# Or rebuild from source:
git clone https://github.com/benmcollins/libjwt.git
cd libjwt
git checkout v3.3.0
./configure && make && make install
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
