Skip to main content

Apache Kerby EUVDEUVD-2026-39648

| CVE-2026-57914 MEDIUM
Uncontrolled Resource Consumption (CWE-400)
2026-06-26 apache GHSA-x6vc-x4v4-hjhr
6.5
CVSS 3.1 · Vendor: apache
Share

Severity by source

Vendor (apache) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
7.5 HIGH

Network-reachable pre-auth ASN.1 parsing, no interaction needed, impact is complete service availability loss only.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Red Hat
6.5 MEDIUM
qualitative

Primary rating from Vendor (apache).

CVSS VectorVendor: apache

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Patch available
Jun 26, 2026 - 13:01 EUVD
Analysis Generated
Jun 26, 2026 - 12:20 vuln.today

DescriptionCVE.org

By sending a deeply nested ASN1 structure to a Apache Kerby client or service, it's possible to trigger a StackOverFlow Exception which can lead to denial of service issues. Users are recommended to upgrade to version 2.1.2, which fixes this issue.

AnalysisAI

Denial of service in Apache Kerby allows remote attackers to crash a Kerby client or service by delivering a deeply nested ASN1 structure that exhausts JVM stack depth and triggers an unhandled StackOverflowException. All versions prior to 2.1.2 are affected. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Reach Kerby network endpoint
Delivery
Craft deeply nested ASN.1 structure
Exploit
Send malformed Kerberos message
Install
Trigger recursive parser
C2
JVM stack depth exhausted
Execute
StackOverflowError thrown
Impact
Service process crashes

Vulnerability AssessmentAI

Exploitation The target system must be running Apache Kerby in any version prior to 2.1.2 as either a KDC service or a Kerby-enabled client that accepts inbound Kerberos messages. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment No CVSS vector or EPSS score was provided in the source data, so risk metrics must be independently assessed. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker on the network sends a single Kerberos AS-REQ message to a Kerby-backed KDC or service endpoint, embedding a deeply nested ASN.1 SEQUENCE structure that exceeds the JVM default stack depth during recursive parsing. The Kerby process throws an uncaught StackOverflowError and terminates, immediately disrupting authentication for all clients relying on that endpoint. …
Remediation Upgrade Apache Kerby to version 2.1.2, the vendor-confirmed fix version as documented in the Apache mailing list advisory at https://lists.apache.org/thread/w98h2q8wz0bq97vhz4vf55hqomcb2j1m. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

Share

EUVD-2026-39648 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy