SB2026060239 - Heap-based buffer overflow in cjose

Description

This security bulletin contains information about 1 vulnerability.

1) Heap-based buffer overflow (CVE-ID: N/A)

CWE-ID: CWE-122 - Heap-based Buffer Overflow

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to a heap-based buffer overflow in _cjose_jwe_decrypt_ek_aes_kw() in src/jwe.c when decrypting a crafted JWE using the AES Key Wrap algorithms. A remote attacker can submit a specially crafted JWE with an oversized encrypted_key value to cause a denial of service.

Only deployments that decrypt JWEs with A128KW, A192KW, or A256KW are affected.

Remediation

Install update from vendor's website.

References

• https://github.com/OpenIDC/cjose/security/advisories/GHSA-75r7-f5cv-g3wj
• https://github.com/cisco/cjose/commit/8c51d245273583a658f24ef7b08ba22f848a34a5