Regarding confirmation for CVE-2025-57736 in krb5
Ankit Srivastava
ankit.k.srivastava at oracle.com
Mon Sep 1 03:02:38 EDT 2025
Hi Team,
While reviewing Kerberos 1.22.1 release note<https://web.mit.edu/kerberos/krb5-1.22/krb5-1.22.1.html> <https://web.mit.edu/kerberos/krb5-1.22/krb5-1.22.1.html> I have found CVE claim mentioned below :Fix a vulnerability in GSS MIC verification [CVE-2025-57736].
But the same has not been mentioned in 1.22 !
Based on my due diligence It looks like commit 7ae0adc<https://github.com/krb5/krb5/commit/7ae0adcdf16687810f747e284c9fb571a561c5bd#diff-08d5eceeaa8561414331bf0e35a895bdb2b926688aeec402dc42be201763979e> caused this issue which was merged in 1.22 with newly introduced function "kg_verify_checksum_v3"
function and CVE got resolved with commit 2531770<https://github.com/krb5/krb5/commit/2531770c10115cb8b5ff529f813d86fa5a36db4c>.
So, does it impact on the user who is using krb5.1.21.3 or prior releases or only the impact on user who has krb5.1.22 ?
Regards
Ankit Srivastava,
More information about the Kerberos
mailing list