Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Network-reachable pre-auth ASN.1 parsing, no interaction needed, impact is complete service availability loss only.
Primary rating from Vendor (apache).
CVSS VectorVendor: apache
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
2DescriptionCVE.org
By sending a deeply nested ASN1 structure to a Apache Kerby client or service, it's possible to trigger a StackOverFlow Exception which can lead to denial of service issues. Users are recommended to upgrade to version 2.1.2, which fixes this issue.
AnalysisAI
Denial of service in Apache Kerby allows remote attackers to crash a Kerby client or service by delivering a deeply nested ASN1 structure that exhausts JVM stack depth and triggers an unhandled StackOverflowException. All versions prior to 2.1.2 are affected. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The target system must be running Apache Kerby in any version prior to 2.1.2 as either a KDC service or a Kerby-enabled client that accepts inbound Kerberos messages. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | No CVSS vector or EPSS score was provided in the source data, so risk metrics must be independently assessed. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker on the network sends a single Kerberos AS-REQ message to a Kerby-backed KDC or service endpoint, embedding a deeply nested ASN.1 SEQUENCE structure that exceeds the JVM default stack depth during recursive parsing. The Kerby process throws an uncaught StackOverflowError and terminates, immediately disrupting authentication for all clients relying on that endpoint. … |
| Remediation | Upgrade Apache Kerby to version 2.1.2, the vendor-confirmed fix version as documented in the Apache mailing list advisory at https://lists.apache.org/thread/w98h2q8wz0bq97vhz4vf55hqomcb2j1m. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Apache Kerby
View allSame weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39648
GHSA-x6vc-x4v4-hjhr