Skip to main content

MIT Kerberos 5 CVE-2026-40356

| EUVDEUVD-2026-25993 HIGH
Integer Underflow (CWE-191)
2026-04-28 mitre
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
7.5 HIGH

Unauthenticated remote token causes a crash with no auth or interaction (PR:N/UI:N, A:H only); the NegoEx-registration prerequisite is a deployment condition, not attacker complexity, so AC:L and no C/I impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
5.9 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Red Hat
5.9 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

12
Analysis Updated
Jul 08, 2026 - 13:00 vuln.today
v3 (cvss_changed)
Source Code Evidence Fetched
Jul 08, 2026 - 12:59 vuln.today
Analysis Updated
Jul 08, 2026 - 12:59 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 08, 2026 - 12:52 vuln.today
cvss_changed
Severity Changed
Jul 08, 2026 - 12:52 NVD
MEDIUM HIGH
CVSS changed
Jul 08, 2026 - 12:52 NVD
5.9 (MEDIUM) 7.5 (HIGH)
Patch released
Apr 28, 2026 - 20:11 nvd
Patch available
Patch available
Apr 28, 2026 - 08:01 EUVD
Analysis Generated
Apr 28, 2026 - 06:45 vuln.today
EUVD ID Assigned
Apr 28, 2026 - 06:30 euvd
EUVD-2026-25993
Analysis Generated
Apr 28, 2026 - 06:30 vuln.today
CVE Published
Apr 28, 2026 - 00:00 nvd
MEDIUM 5.9

DescriptionNVD

In MIT Kerberos 5 (aka krb5) before 1.22.3, there is an integer underflow and resultant out-of-bounds read if an application calls gss_accept_sec_context() on a system with a NegoEx mechanism registered in /etc/gss/mech. An unauthenticated remote attacker can trigger this, possibly causing the process to terminate in parse_message.

AnalysisAI

Remote denial of service in MIT Kerberos 5 (krb5) before 1.22.3 allows an unauthenticated network attacker to crash any application that calls gss_accept_sec_context() on a host where a NegoEx mechanism is registered in /etc/gss/mech. A crafted NegoEx token triggers an integer underflow leading to an out-of-bounds read in parse_message(), terminating the GSS-API acceptor process. No public exploit is identified at time of analysis, EPSS risk is low (0.07%), and CISA SSVC scores exploitation as 'none'.

Technical ContextAI

The flaw lives in the SPNEGO/NegoEx handling of the GSS-API library (src/lib/gssapi/spnego/negoex_util.c). NegoEx is the extended negotiation protocol layered under SPNEGO used to negotiate modern mechanisms (e.g. PKU2U/certificate-based auth) during gss_accept_sec_context(). During message parsing, parse_message() computes header and message lengths from attacker-supplied token fields; a missing lower-bound check on header_len relative to the parsed pointer offset (in->ptr - msg_base) allows the length arithmetic to wrap (CWE-191, integer underflow/wraparound), producing a bogus large size that drives an out-of-bounds read. This code path is only reachable when a NegoEx mechanism is actually registered in the system GSS mechanism configuration file /etc/gss/mech, so builds without such a mechanism registered are not on the vulnerable path.

RemediationAI

Vendor-released patch: 1.22.3 - upgrade MIT Kerberos 5 to 1.22.3 or later, or apply your distribution's fixed package (Red Hat: RHSA-2026:12220 at https://access.redhat.com/errata/RHSA-2026:12220; upstream advisories at https://web.mit.edu/kerberos/advisories/). The fix is upstream commit 2e75f0d9362fb979f5fc92829431a590a130929f, which adds a lower-bound check on header_len in parse_message() and a NULL check in parse_nego_message(). Where immediate patching is not possible, a targeted compensating control is to remove or comment out any NegoEx mechanism entry in /etc/gss/mech so the vulnerable parse path is not reachable - the trade-off is loss of NegoEx-based negotiation (e.g. PKU2U/certificate mechanisms) for GSS acceptors, which may break authentication flows that depend on it. Network-restricting exposure of the affected acceptor service reduces reachability but does not remove the underflow.

CVE-2022-42898 HIGH POC
8.8 Dec 25

PAC parsing in MIT Kerberos 5 (aka krb5) before 1.19.4 and 1.20.x before 1.20.1 has integer overflows that may lead to r

CVE-2024-26461 HIGH POC
7.5 Feb 29

Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c. Rated high se

CVE-2022-39028 HIGH POC
7.5 Aug 30

telnetd in GNU Inetutils through 2.3, MIT krb5-appl through 1.0.3, and derivative works has a NULL pointer dereference v

CVE-2014-4345 HIGH
8.5 Aug 14

Off-by-one error in the krb5_encode_krbsecretkey function in plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c in the LDAP

CVE-2017-15088 CRITICAL
9.8 Nov 23

plugins/preauth/pkinit/pkinit_crypto_openssl.c in MIT Kerberos 5 (aka krb5) through 1.15.2 mishandles Distinguished Name

CVE-2014-5352 CRITICAL
9.0 Feb 19

The krb5_gss_process_context_token function in lib/gssapi/krb5/process_context_token.c in the libgssapi_krb5 library in

CVE-2014-9421 CRITICAL
9.0 Feb 19

The auth_gssapi_unwrap_data function in lib/rpc/auth_gssapi_misc.c in MIT Kerberos 5 (aka krb5) through 1.11.5, 1.12.x t

CVE-2017-11462 CRITICAL
9.8 Sep 13

Double free vulnerability in MIT Kerberos 5 (aka krb5) allows attackers to have unspecified impact via vectors involving

CVE-2012-1014 CRITICAL
9.0 Aug 06

The process_as_req function in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.10.x before 1.10.3 does

CVE-2024-37371 CRITICAL
9.1 Jun 28

In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can cause invalid memory reads during GSS message token handling

CVE-2012-1015 CRITICAL
9.3 Aug 06

The kdc_handle_protected_negotiation function in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.8.x, 1

CVE-2024-26462 MEDIUM POC
5.5 Feb 29

Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/kdc/ndr.c. Rated medium severity (CVSS 5.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SLES15-SP5-CHOST-BYOS-SAP-CCloud Fixed
SLES15-SP6-CHOST-BYOS Fixed
SLES15-SP6-CHOST-BYOS-Aliyun Fixed
SLES15-SP6-CHOST-BYOS-Azure Fixed
SLES15-SP6-CHOST-BYOS-EC2 Fixed

Share

CVE-2026-40356 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy