NULL pointer dereference in Benmcollins Libjwt

CVE-2026-33996

LibJWT is a C JSON Web Token Library. Starting in version 3.0.0 and prior to version 3.3.0, the JWK parsing for RSA-PSS did not protect against a NULL value when expecting to parse JSON string values. A specially crafted JWK file could exp…

EPSS: 0.000 (0.3th percentile) — read the EPSS interpretation.

Affected products

Benmcollins Libjwt — versions >= 3.0.0, < 3.3.0

Weakness classification (CWE)

CWE-476 — NULL Pointer Dereference

References

https://github.com/benmcollins/libjwt/security/advisories/GHSA-ph96-hqpc-9f66 (x_refsource_CONFIRM)
https://github.com/benmcollins/libjwt/commit/cfd890286fa49ae61b534c937c9f0428b5c6034c (x_refsource_MISC)