CVE-2026-33996 — AI Deep Analysis Summary

🚨 **Essence**: LibJWT experiences an **out-of-bounds read** when parsing JWK and RSA PSS. 💥 **Consequences**: May lead to **memory corruption**, service crashes, or information leakage.

🔍 **Root Cause**: Missing boundary checks. 🛠️ **Defect Point**: When processing specific JWK/RSA PSS structures, input length is not validated, resulting in **out-of-bounds access** (CWE-125/126).

📦 **Affected Component**: `libjwt` library. 📉 **Version**: All versions prior to commit `cfd8902`.

💀 **Attacker Capabilities**: - Trigger **Denial of Service** (DoS). - Potentially exploit out-of-bounds read to obtain **sensitive memory data**. - Attempt **Remote Code Execution** under specific conditions (requires fu…

🧠 **Exploitation Threshold**: - **Medium**: Requires crafting special malicious JWK/RSA PSS payloads. - **No Authentication Required**: Typically occurs during parsing of unauthorized or semi-authorized requests.

🕵️ **Existing Exploits**: - **No public PoC available** (pocs field is empty in data). - **In-the-wild Exploitation**: No widespread reports currently, but existence confirmed on GitHub.

🔎 **Self-Check Method**: - Verify if the `libjwt` version is earlier than commit `cfd8902`. - Scan dependencies for inclusion of older `libjwt` versions.

✅ **Official Fix**: - **Fixed**! - **Patch Commit**: `cfd890286fa49ae61b534c937c9f0428b5c6034c`. - Recommend immediate upgrade to a version containing this commit.

🛡️ **Temporary Mitigation**: - **Cannot be fully mitigated**: The vulnerability triggers during the parsing phase. - **Recommendation**: Upgrade immediately; if upgrade is not possible, restrict external JWK/RSA data sou…

🔥 **Priority**: - **High**! Involves memory safety. - **Action**: Immediately investigate and upgrade `libjwt` to prevent potential attacks.