Skip to main content

Apache Kerby

2 CVEs product

Monthly

CVE-2026-57915 HIGH PATCH This Week

Authentication bypass in Apache Kerby before 2.1.2 lets remote attackers defeat Kerberos pre-authentication by submitting a PA-DATA element with an unrecognized or unsupported type, causing the KDC to skip the pre-auth check rather than reject the request. The flaw affects all Apache Kerby deployments below 2.1.2 acting as a Kerberos KDC/AS, and is fixed in version 2.1.2. There is no public exploit identified at time of analysis, no CISA KEV listing, and EPSS data was not provided; CVSS is rated 7.3 (High) with partial confidentiality, integrity, and availability impact.

Authentication Bypass Apache Apache Kerby
NVD VulDB
CVSS 3.1
7.3
EPSS
0.3%
CVE-2026-57914 MEDIUM PATCH This Month

Denial of service in Apache Kerby allows remote attackers to crash a Kerby client or service by delivering a deeply nested ASN1 structure that exhausts JVM stack depth and triggers an unhandled StackOverflowException. All versions prior to 2.1.2 are affected. No public exploit code or CISA KEV listing has been identified at time of analysis, but the attack primitive (malformed Kerberos ASN1 message) requires no authentication and is trivially constructible, making this a realistic operational risk for any internet- or network-exposed Kerby deployment.

Denial Of Service Apache Red Hat Apache Kerby
NVD VulDB
CVSS 3.1
6.5
EPSS
0.3%
EPSS 0% CVSS 7.3
HIGH PATCH This Week

Authentication bypass in Apache Kerby before 2.1.2 lets remote attackers defeat Kerberos pre-authentication by submitting a PA-DATA element with an unrecognized or unsupported type, causing the KDC to skip the pre-auth check rather than reject the request. The flaw affects all Apache Kerby deployments below 2.1.2 acting as a Kerberos KDC/AS, and is fixed in version 2.1.2. There is no public exploit identified at time of analysis, no CISA KEV listing, and EPSS data was not provided; CVSS is rated 7.3 (High) with partial confidentiality, integrity, and availability impact.

Authentication Bypass Apache Apache Kerby
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Denial of service in Apache Kerby allows remote attackers to crash a Kerby client or service by delivering a deeply nested ASN1 structure that exhausts JVM stack depth and triggers an unhandled StackOverflowException. All versions prior to 2.1.2 are affected. No public exploit code or CISA KEV listing has been identified at time of analysis, but the attack primitive (malformed Kerberos ASN1 message) requires no authentication and is trivially constructible, making this a realistic operational risk for any internet- or network-exposed Kerby deployment.

Denial Of Service Apache Red Hat +1
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy