Source: libjwt3 Version: 3.2.3-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for libjwt3. CVE-2026-33996[0]: | LibJWT is a C JSON Web Token Library. Starting in version 3.0.0 and | prior to version 3.3.0, the JWK parsing for RSA-PSS did not protect | against a NULL value when expecting to parse JSON string values. A | specially crafted JWK file could exploit this behavior by using | integers in places where the code expected a string. This was fixed | in v3.3.0. A workaround is available. Users importing keys through a | JWK file should not do so from untrusted sources. Use the `jwk2key` | tool to check for validity of a JWK file. Likewise, if possible, do | not use JWK files with RSA-PSS keys. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-33996 https://www.cve.org/CVERecord?id=CVE-2026-33996 [1] https://github.com/benmcollins/libjwt/security/advisories/GHSA-ph96-hqpc-9f66 [2] https://github.com/benmcollins/libjwt/commit/cfd890286fa49ae61b534c937c9f0428b5c6034c Regards, Salvatore
