[krbdev.mit.edu #9205] git commit
Greg Hudson via RT
rt-comment at krbdev.mit.edu
Mon Apr 13 13:21:48 EDT 2026
Mon Apr 13 13:21:48 2026: Request 9205 was acted upon.
Transaction: Ticket created by ghudson at mit.edu
Queue: krb5
Subject: git commit
Owner: ghudson at mit.edu
Requestors:
Status: new
Ticket <URL: https://krbdev.mit.edu/rt/Ticket/Display.html?id=9205 >
Fix two NegoEx parsing vulnerabilities
In parse_nego_message(), check the result of the second call to
vector_base() before dereferencing it. In parse_message(), check for
a short header_len to prevent an integer underflow when calculating
the remaining message length.
Reported by Cem Onat Karagun.
CVE-2026-40355:
In MIT krb5 release 1.18 and later, if an application calls
gss_accept_sec_context() on a system with a NegoEx mechanism
registered in /etc/gss/mech, an unauthenticated remote attacker can
trigger a null pointer dereference, causing the process to terminate.
CVE-2026-40356:
In MIT krb5 release 1.18 and later, if an application calls
gss_accept_sec_context() on a system with a NegoEx mechanism
registered in /etc/gss/mech, an unauthenticated remote attacker can
trigger a read overrun of up to 52 bytes, possibly causing the process
to terminate. Exfiltration of the bytes read does not appear
possible.
https://github.com/krb5/krb5/commit/2e75f0d9362fb979f5fc92829431a590a130929f
Author: Greg Hudson <ghudson at mit.edu>
Commit: 2e75f0d9362fb979f5fc92829431a590a130929f
Branch: master
src/lib/gssapi/spnego/negoex_util.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
More information about the krb5-bugs
mailing list