[17098] in Kerberos-V5-bugs
[krbdev.mit.edu #9205] git commit
daemon@ATHENA.MIT.EDU (Greg Hudson via RT)
Thu Apr 23 18:26:00 2026
From: "Greg Hudson via RT" <rt@krbdev.mit.edu>
In-Reply-To:
Message-ID: <rt-4.4.3-2-4084865-1776983151-1309.9205-5-0@mit.edu>
To: "AdminCc of krbdev.mit.edu Ticket #9205":;
Date: Thu, 23 Apr 2026 18:25:51 -0400
MIME-Version: 1.0
Reply-To: rt@krbdev.mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krb5-bugs-bounces@mit.edu
<URL: https://krbdev.mit.edu/rt/Ticket/Display.html?id=9205 >
Fix two NegoEx parsing vulnerabilities
In parse_nego_message(), check the result of the second call to
vector_base() before dereferencing it. In parse_message(), check for
a short header_len to prevent an integer underflow when calculating
the remaining message length.
Reported by Cem Onat Karagun.
CVE-2026-40355:
In MIT krb5 release 1.18 and later, if an application calls
gss_accept_sec_context() on a system with a NegoEx mechanism
registered in /etc/gss/mech, an unauthenticated remote attacker can
trigger a null pointer dereference, causing the process to terminate.
CVE-2026-40356:
In MIT krb5 release 1.18 and later, if an application calls
gss_accept_sec_context() on a system with a NegoEx mechanism
registered in /etc/gss/mech, an unauthenticated remote attacker can
trigger a read overrun of up to 52 bytes, possibly causing the process
to terminate. Exfiltration of the bytes read does not appear
possible.
(cherry picked from commit 2e75f0d9362fb979f5fc92829431a590a130929f)
https://github.com/krb5/krb5/commit/acea6182e46fff3d1d64a3172cdff307b07ca441
Author: Greg Hudson <ghudson@mit.edu>
Commit: acea6182e46fff3d1d64a3172cdff307b07ca441
Branch: krb5-1.22
src/lib/gssapi/spnego/negoex_util.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs
