CVE-2026-39373

high

Red Hat

CVSS v3 Base Score

7.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Characteristics

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Confidentiality

None

Integrity

None

Availability

High

Published: April 7, 2026 (36 days ago)

Last Modified: April 7, 2026

Vendor: Red Hat

Source: REDHAT

Description

A flaw was found in JWCrypto, a Python library for JSON Web Key (JWK), JSON Web Signature (JWS), and JSON Web Encryption (JWE) specifications. An unauthenticated attacker can exploit this vulnerability by sending specially crafted JWE tokens that use ZIP compression. While the input token size is limited, the decompressed output size is not validated, allowing an attacker to cause excessive memory consumption. This can lead to memory exhaustion on affected systems, resulting in a Denial of Service (DoS).

CWE

CWE-770

Affected Products

Red Hat Ansible Automation Platform 2Red Hat Enterprise Linux 10Red Hat Enterprise Linux 7Red Hat Enterprise Linux 8Red Hat Enterprise Linux 9

References

🔗 bugzilla.redhat.com 🔗 www.cve.org 🔗 nvd.nist.gov 🔗 github.com

CVE-2026-39373

Vulnerability Report

Description

CWE

Affected Products

References