Memory Exhaustion Vulnerability in JWCrypto by Latchset
CVE-2026-39373

5.3MEDIUM

Key Information:

Vendor: Latchset
Status: Jwcrypto
Vendor: CVE Published:; 7 April 2026

What is CVE-2026-39373?

The JWCrypto library, which implements JWK, JWS, and JWE specifications using python-cryptography, is susceptible to a memory exhaustion issue. An unauthenticated attacker can exploit this vulnerability by sending specifically crafted JWE tokens that utilize ZIP compression. Although a prior patch limited the input token size to 250KB, it fails to validate the decompressed output size, allowing tokens within the input limit to expand to approximately 100MB in memory on constrained systems. This could lead to significant memory consumption and potential denial of service on affected servers. The issue has been addressed in version 1.5.7.

Affected Version(s)

jwcrypto < 1.5.7

References

https://github.com/latchset/jwcrypto/security/advisories/...

x_refsource_CONFIRM

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 7, 2026
Vulnerability Reserved
Apr 6, 2026

CVE-2026-39373 Data

JSON