Main Vulnerability Database Vulnerabilities #VU133239

Heap-based buffer overflow in cjose - #VU133239

Published: June 2, 2026

Vulnerability identifier: #VU133239

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: N/A

CWE-ID: CWE-122

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Cisco Systems, Inc

Affected software:
cjose

Detailed vulnerability description

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to a heap-based buffer overflow in _cjose_jwe_decrypt_ek_aes_kw() in src/jwe.c when decrypting a crafted JWE using the AES Key Wrap algorithms. A remote attacker can submit a specially crafted JWE with an oversized encrypted_key value to cause a denial of service.

Only deployments that decrypt JWEs with A128KW, A192KW, or A256KW are affected.

Remediation

Install security update from vendor's website.

Sources

https://github.com/OpenIDC/cjose/security/advisories/GHSA-75r7-f5cv-g3wj
https://github.com/cisco/cjose/commit/8c51d245273583a658f24ef7b08ba22f848a34a5

Heap-based buffer overflow in cjose - #VU133239

Detailed vulnerability description

Remediation

Sources

Please verify you're human