[krbdev.mit.edu #9205] git commit
Greg Hudson via RT
rt at krbdev.mit.edu
Thu Apr 23 18:25:51 EDT 2026
<URL: https://krbdev.mit.edu/rt/Ticket/Display.html?id=9205 >
Fix two NegoEx parsing vulnerabilities
In parse_nego_message(), check the result of the second call to
vector_base() before dereferencing it. In parse_message(), check for
a short header_len to prevent an integer underflow when calculating
the remaining message length.
Reported by Cem Onat Karagun.
CVE-2026-40355:
In MIT krb5 release 1.18 and later, if an application calls
gss_accept_sec_context() on a system with a NegoEx mechanism
registered in /etc/gss/mech, an unauthenticated remote attacker can
trigger a null pointer dereference, causing the process to terminate.
CVE-2026-40356:
In MIT krb5 release 1.18 and later, if an application calls
gss_accept_sec_context() on a system with a NegoEx mechanism
registered in /etc/gss/mech, an unauthenticated remote attacker can
trigger a read overrun of up to 52 bytes, possibly causing the process
to terminate. Exfiltration of the bytes read does not appear
possible.
(cherry picked from commit 2e75f0d9362fb979f5fc92829431a590a130929f)
https://github.com/krb5/krb5/commit/acea6182e46fff3d1d64a3172cdff307b07ca441
Author: Greg Hudson <ghudson at mit.edu>
Commit: acea6182e46fff3d1d64a3172cdff307b07ca441
Branch: krb5-1.22
src/lib/gssapi/spnego/negoex_util.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
More information about the krb5-bugs
mailing list