[17093] in Kerberos-V5-bugs
[krbdev.mit.edu #9205] git commit
daemon@ATHENA.MIT.EDU (Greg Hudson via RT)
Mon Apr 13 13:21:54 2026
From: "Greg Hudson via RT" <rt-comment@krbdev.mit.edu>
In-Reply-To:
Message-ID: <rt-4.4.3-2-3015112-1776100908-1310.9205-4-0@mit.edu>
To: "AdminCc of krbdev.mit.edu Ticket #9205":;
Date: Mon, 13 Apr 2026 13:21:48 -0400
MIME-Version: 1.0
Reply-To: rt-comment@krbdev.mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krb5-bugs-bounces@mit.edu
Mon Apr 13 13:21:48 2026: Request 9205 was acted upon.
Transaction: Ticket created by ghudson@mit.edu
Queue: krb5
Subject: git commit
Owner: ghudson@mit.edu
Requestors:
Status: new
Ticket <URL: https://krbdev.mit.edu/rt/Ticket/Display.html?id=9205 >
Fix two NegoEx parsing vulnerabilities
In parse_nego_message(), check the result of the second call to
vector_base() before dereferencing it. In parse_message(), check for
a short header_len to prevent an integer underflow when calculating
the remaining message length.
Reported by Cem Onat Karagun.
CVE-2026-40355:
In MIT krb5 release 1.18 and later, if an application calls
gss_accept_sec_context() on a system with a NegoEx mechanism
registered in /etc/gss/mech, an unauthenticated remote attacker can
trigger a null pointer dereference, causing the process to terminate.
CVE-2026-40356:
In MIT krb5 release 1.18 and later, if an application calls
gss_accept_sec_context() on a system with a NegoEx mechanism
registered in /etc/gss/mech, an unauthenticated remote attacker can
trigger a read overrun of up to 52 bytes, possibly causing the process
to terminate. Exfiltration of the bytes read does not appear
possible.
https://github.com/krb5/krb5/commit/2e75f0d9362fb979f5fc92829431a590a130929f
Author: Greg Hudson <ghudson@mit.edu>
Commit: 2e75f0d9362fb979f5fc92829431a590a130929f
Branch: master
src/lib/gssapi/spnego/negoex_util.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs
