CVE-2026-39373

CVSS v3.1

5.3

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Name of the Vulnerable Software and Affected Versions JWCrypto versions prior to 1.5.7

Description A crafted JWE token with ZIP compression can exhaust server memory. The existing patch limits input token size to 250KB but does not validate the decompressed output size. A token under the 250KB input limit can decompress to approximately 100MB, potentially causing memory exhaustion on memory-constrained systems.

Recommendations Update to version 1.5.7 or later.

Fix

DoS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-409

Related Identifiers

ALSA-2026:19042

ALSA-2026:19197

BDU:2026-07340

CVE-2026-39373

GHSA-FJRM-76X2-C4Q4

OESA-2026-1923

OESA-2026-1924

OESA-2026-1925

OESA-2026-1926

OPENSUSE-SU-2026:10576-1

PYSEC-2026-70

RHSA-2026:13508

RHSA-2026:13512

RHSA-2026:19042

RHSA-2026:19197

Affected Products

Jwcrypto

Red Os

CVE-2026-39373

Weakness Enumeration

Related Identifiers

Affected Products

References · 35