EUVD-2026-36219
GHSA-85rq-mqr4-hjw7
Severity by source
AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:H
AV:N reflects network-based LDAP communication; AC:H and PR:H reflect required control of the LDAP KDB backend; A:H for KDC crash; C:L for heap read leak to an already-privileged attacker.
Primary rating from Vendor (redhat).
CVSS VectorVendor: redhat
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:H
Lifecycle Timeline
2DescriptionCVE.org
An integer underflow vulnerability was found in MIT krb5 in the berval2tl_data() function in plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c. The function performs an unsigned subtraction (bv_len - 2) without a prior bounds check. When bv_len is 0 or 1, the subtraction wraps to a large value which is then truncated to uint16_t, yielding 0xFFFE (65534) or 0xFFFF (65535). The subsequent malloc succeeds and memcpy reads up to 65534 bytes from a 0-1 byte buffer, resulting in a heap out-of-bounds read. The attack vector involves a malicious or compromised LDAP KDB backend returning a krbExtraData attribute with bv_len < 2, triggering the underflow when the KDC or kadmind reads principal data.
AnalysisAI
Heap out-of-bounds read in MIT krb5's LDAP KDB plugin allows a compromised or malicious LDAP backend to crash the KDC or kadmind process, or leak heap memory. The flaw exists in berval2tl_data() within libkdb_ldap and is triggered when the LDAP server returns a krbExtraData attribute with bv_len less than 2, causing an unsigned integer underflow that drives a memcpy of up to 65,534 bytes from a near-zero-length source buffer. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation is only possible when MIT krb5 is configured to use the LDAP KDB plugin - this is a non-default configuration requiring explicit setup of libkdb_ldap in krb5.conf or kdc.conf. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 5.0 with vector AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:H accurately encodes the constrained exploitation path. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has compromised an LDAP server serving as the Kerberos KDB backend constructs a malformed LDAP response to a principal lookup, returning a krbExtraData attribute with bv_len set to 0 or 1. When the KDC or kadmind calls berval2tl_data() to parse the attribute, the unsigned subtraction wraps to 0xFFFE or 0xFFFF, causing a memcpy to read up to 65,534 bytes beyond the 0-1 byte source buffer on the heap, either crashing the KDC process (availability impact) or surfacing heap memory contents to the attacker (confidentiality impact). … |
| Remediation | Apply the vendor-supplied patch from Red Hat once released; no exact patched version has been confirmed in the available data at time of analysis. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Remote denial of service in 389 Directory Server (Red Hat Directory Server 11/12/13 and Red Hat Enterprise Linux 6 throu
Out-of-bounds heap write in QEMU's virtio-blk device allows a high-privileged guest to crash the host QEMU process. The
Denial-of-service in Red Hat's 389 Directory Server allows a highly privileged network attacker to crash the LDAP servic
Out-of-bounds read in 389 Directory Server's LDIF parser exposes limited heap memory to a highly privileged local attack
Denial of service in Red Hat 389 Directory Server's Content Synchronization persistent search plugin enables authenticat
Share
External POC / Exploit Code
Leaving vuln.today