Skip to main content

MIT Kerberos 5 CVE-2026-40355

| EUVDEUVD-2026-25981 HIGH
NULL Pointer Dereference (CWE-476)
2026-04-28 mitre
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.9 MEDIUM

Unauthenticated network DoS with availability-only impact, but exploitation depends on a non-default NegoEx registration in /etc/gss/mech outside the attacker's control, warranting AC:H.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
5.9 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Red Hat
5.9 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

12
Analysis Updated
Jul 08, 2026 - 12:58 vuln.today
v3 (cvss_changed)
Source Code Evidence Fetched
Jul 08, 2026 - 12:58 vuln.today
Analysis Updated
Jul 08, 2026 - 12:58 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 08, 2026 - 12:52 vuln.today
cvss_changed
Severity Changed
Jul 08, 2026 - 12:52 NVD
MEDIUM HIGH
CVSS changed
Jul 08, 2026 - 12:52 NVD
5.9 (MEDIUM) 7.5 (HIGH)
Patch released
Apr 28, 2026 - 20:11 nvd
Patch available
Patch available
Apr 28, 2026 - 07:16 EUVD
Analysis Generated
Apr 28, 2026 - 06:00 vuln.today
EUVD ID Assigned
Apr 28, 2026 - 05:30 euvd
EUVD-2026-25981
Analysis Generated
Apr 28, 2026 - 05:30 vuln.today
CVE Published
Apr 28, 2026 - 00:00 nvd
MEDIUM 5.9

DescriptionNVD

In MIT Kerberos 5 (aka krb5) before 1.22.3, there is a NULL pointer dereference if an application calls gss_accept_sec_context() on a system with a NegoEx mechanism registered in /etc/gss/mech. An unauthenticated remote attacker can trigger this, causing the process to terminate in parse_nego_message.

AnalysisAI

Remote denial of service in MIT Kerberos 5 (krb5) before 1.22.3 lets an unauthenticated attacker crash any GSS-API acceptor that has a NegoEx mechanism registered in /etc/gss/mech. Sending a malformed NegoEx token to an application that calls gss_accept_sec_context() triggers a NULL pointer dereference in parse_nego_message, terminating the process (CWE-476). No public exploit identified at time of analysis; EPSS is low (0.07%) and CISA SSVC lists exploitation as proof-of-concept only, with technical impact rated partial and not automatable.

Technical ContextAI

The flaw lives in the SPNEGO/NegoEx code path of the GSS-API library shipped with MIT krb5 (cpe:2.3:a:mit:kerberos_5). NegoEx is the extended negotiation protocol layered on top of SPNEGO to select modern GSS mechanisms, and it is only reached when an administrator registers a NegoEx-capable mechanism in the /etc/gss/mech plugin configuration. The vendor commit 2e75f0d9 shows parse_nego_message failing to verify that a parsed pointer 'p' is non-NULL before use, and parse_message accepting inconsistent length fields (it was missing the header_len < (in->ptr - msg_base) lower-bound check alongside the header_len/msg_len sanity checks). A crafted token carrying invalid message sizes therefore leaves a NULL pointer that is subsequently dereferenced. This is a classic input-validation gap (CWE-476) on attacker-controlled protocol data that is parsed before authentication completes.

RemediationAI

Vendor-released patch: upgrade to MIT krb5 1.22.3 or later, which adds the missing NULL check and length-consistency validation to the NegoEx parser (upstream commit https://github.com/krb5/krb5/commit/2e75f0d9362fb979f5fc92829431a590a130929f). Distribution users should apply their packaged fix - Red Hat customers via RHSA-2026:12220 (https://access.redhat.com/errata/RHSA-2026:12220) - and check https://web.mit.edu/kerberos/advisories/ for other platforms. Where immediate patching is not possible, a targeted compensating control is to remove or comment out the NegoEx mechanism entry in /etc/gss/mech so the vulnerable parse_nego_message path is never reached; the trade-off is loss of NegoEx-based mechanism negotiation for any clients that depend on it. Additionally, restrict network reachability of the affected acceptor service to trusted clients to limit who can deliver a crafted token.

CVE-2022-42898 HIGH POC
8.8 Dec 25

PAC parsing in MIT Kerberos 5 (aka krb5) before 1.19.4 and 1.20.x before 1.20.1 has integer overflows that may lead to r

CVE-2024-26461 HIGH POC
7.5 Feb 29

Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c. Rated high se

CVE-2022-39028 HIGH POC
7.5 Aug 30

telnetd in GNU Inetutils through 2.3, MIT krb5-appl through 1.0.3, and derivative works has a NULL pointer dereference v

CVE-2014-4345 HIGH
8.5 Aug 14

Off-by-one error in the krb5_encode_krbsecretkey function in plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c in the LDAP

CVE-2017-15088 CRITICAL
9.8 Nov 23

plugins/preauth/pkinit/pkinit_crypto_openssl.c in MIT Kerberos 5 (aka krb5) through 1.15.2 mishandles Distinguished Name

CVE-2014-5352 CRITICAL
9.0 Feb 19

The krb5_gss_process_context_token function in lib/gssapi/krb5/process_context_token.c in the libgssapi_krb5 library in

CVE-2014-9421 CRITICAL
9.0 Feb 19

The auth_gssapi_unwrap_data function in lib/rpc/auth_gssapi_misc.c in MIT Kerberos 5 (aka krb5) through 1.11.5, 1.12.x t

CVE-2017-11462 CRITICAL
9.8 Sep 13

Double free vulnerability in MIT Kerberos 5 (aka krb5) allows attackers to have unspecified impact via vectors involving

CVE-2012-1014 CRITICAL
9.0 Aug 06

The process_as_req function in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.10.x before 1.10.3 does

CVE-2024-37371 CRITICAL
9.1 Jun 28

In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can cause invalid memory reads during GSS message token handling

CVE-2012-1015 CRITICAL
9.3 Aug 06

The kdc_handle_protected_negotiation function in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.8.x, 1

CVE-2024-26462 MEDIUM POC
5.5 Feb 29

Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/kdc/ndr.c. Rated medium severity (CVSS 5.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SLES15-SP5-CHOST-BYOS-SAP-CCloud Fixed
SLES15-SP6-CHOST-BYOS Fixed
SLES15-SP6-CHOST-BYOS-Aliyun Fixed
SLES15-SP6-CHOST-BYOS-Azure Fixed
SLES15-SP6-CHOST-BYOS-EC2 Fixed

Share

CVE-2026-40355 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy