{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-40355", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-28T12:53:20.352Z", "dateReserved": "2026-04-11T00:00:00.000Z", "datePublished": "2026-04-28T00:00:00.000Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Kerberos 5", "vendor": "MIT", "versions": [{"lessThan": "1.22.3", "status": "affected", "version": "1.18", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "In MIT Kerberos 5 (aka krb5) before 1.22.3, there is a NULL pointer dereference if an application calls gss_accept_sec_context() on a system with a NegoEx mechanism registered in /etc/gss/mech. An unauthenticated remote attacker can trigger this, causing the process to terminate in parse_nego_message."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-476", "description": "CWE-476 NULL Pointer Dereference", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-28T05:13:30.215Z"}, "references": [{"url": "https://web.mit.edu/kerberos/advisories/"}, {"url": "https://cems.fun/2026/04/27/krb5-two-unauthenticated-network-vulnerabilities.html"}, {"url": "https://github.com/krb5/krb5/commit/2e75f0d9362fb979f5fc92829431a590a130929f"}], "source": {"discovery": "INTERNAL"}, "x_generator": {"engine": "enrichogram 0.0.1"}, "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:mit:kerberos_5:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.18", "versionEndExcluding": "1.22.3"}]}]}]}, "adp": [{"references": [{"url": "https://cems.fun/2026/04/27/krb5-two-unauthenticated-network-vulnerabilities.html", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-28T12:53:15.785781Z", "id": "CVE-2026-40355", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T12:53:20.352Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-40355", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-28T12:53:20.352Z", "dateReserved": "2026-04-11T00:00:00.000Z", "datePublished": "2026-04-28T00:00:00.000Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Kerberos 5", "vendor": "MIT", "versions": [{"lessThan": "1.22.3", "status": "affected", "version": "1.18", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "In MIT Kerberos 5 (aka krb5) before 1.22.3, there is a NULL pointer dereference if an application calls gss_accept_sec_context() on a system with a NegoEx mechanism registered in /etc/gss/mech. An unauthenticated remote attacker can trigger this, causing the process to terminate in parse_nego_message."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-476", "description": "CWE-476 NULL Pointer Dereference", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-28T05:13:30.215Z"}, "references": [{"url": "https://web.mit.edu/kerberos/advisories/"}, {"url": "https://cems.fun/2026/04/27/krb5-two-unauthenticated-network-vulnerabilities.html"}, {"url": "https://github.com/krb5/krb5/commit/2e75f0d9362fb979f5fc92829431a590a130929f"}], "source": {"discovery": "INTERNAL"}, "x_generator": {"engine": "enrichogram 0.0.1"}, "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:mit:kerberos_5:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.18", "versionEndExcluding": "1.22.3"}]}]}]}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40355", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-28T12:53:15.785781Z"}}}], "references": [{"url": "https://cems.fun/2026/04/27/krb5-two-unauthenticated-network-vulnerabilities.html", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T12:53:09.871Z"}}]}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In MIT Kerberos 5 (aka krb5) before 1.22.3, there is a NULL pointer dereference if an application calls gss_accept_sec_context() on a system with a NegoEx mechanism registered in /etc/gss/mech. An unauthenticated remote attacker can trigger this, causing the process to terminate in parse_nego_message."}], "id": "CVE-2026-40355", "lastModified": "2026-04-28T20:11:56.713", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "cve@mitre.org", "type": "Secondary"}]}, "published": "2026-04-28T06:16:03.663", "references": [{"source": "cve@mitre.org", "url": "https://cems.fun/2026/04/27/krb5-two-unauthenticated-network-vulnerabilities.html"}, {"source": "cve@mitre.org", "url": "https://github.com/krb5/krb5/commit/2e75f0d9362fb979f5fc92829431a590a130929f"}, {"source": "cve@mitre.org", "url": "https://web.mit.edu/kerberos/advisories/"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://cems.fun/2026/04/27/krb5-two-unauthenticated-network-vulnerabilities.html"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-476"}], "source": "cve@mitre.org", "type": "Secondary"}]}

{"bugzilla": {"description": "krb5: MIT Kerberos 5: Denial of Service via NULL pointer dereference in NegoEx mechanism", "id": "2463370", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2463370"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.9", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-476", "details": ["A flaw was found in MIT Kerberos 5 (krb5). An unauthenticated remote attacker can exploit a NULL pointer dereference vulnerability by calling `gss_accept_sec_context()` on a system with a NegoEx mechanism registered. This can lead to the termination of the process, resulting in a Denial of Service (DoS)."], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, remove the NegoEx mechanism registration from the system's GSSAPI configuration if it is not required. This can typically be achieved by removing or commenting out the relevant entry in `/etc/gss/mech`. A restart of services utilizing Kerberos might be necessary for the changes to take effect, which could impact Kerberos-dependent functionality."}, "name": "CVE-2026-40355", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "krb5", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Fix deferred", "package_name": "krb5", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "krb5", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "krb5", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "krb5", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:hummingbird:1", "fix_state": "Fix deferred", "package_name": "krb5", "product_name": "Red Hat Hardened Images"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "rhcos", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2026-04-28T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-40355\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-40355\nhttps://cems.fun/2026/04/27/krb5-two-unauthenticated-network-vulnerabilities.html\nhttps://github.com/krb5/krb5/commit/2e75f0d9362fb979f5fc92829431a590a130929f\nhttps://web.mit.edu/kerberos/advisories/"], "statement": "Moderate: This flaw allows an unauthenticated remote attacker to cause a Denial of Service in MIT Kerberos 5 by triggering a NULL pointer dereference. Exploitation requires the NegoEx mechanism to be explicitly registered in the system's GSSAPI configuration, which is not a default state in all Red Hat environments.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[1.18,1.22.3)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Kerberos 5", "source": "cna", "vendor": "MIT"}, "product": "kerberos_5", "vendor": "mit"}], "analysis": {"en": {"generated_at": "2026-04-28T12:37:50.395987+00:00", "value": {"mitigation_remediation": ["Upgrade Kerberos 5 to version 1.22.3 or later, which contains the fixed implementation of gss_accept_sec_context().", "If an upgrade is not immediately possible, remove or disable the NegoEx mechanism entry from /etc/gss/mech so that the vulnerable code path is no longer exercised.", "Restart Kerberos services to ensure the changes take effect and monitor system logs for any unexpected terminations."], "summary": {"action": "Apply Patch", "impact": "Remote Unauthenticated Denial of Service"}, "threat_synthesis": {"affected_systems": "MIT Kerberos 5 (krb5) versions prior to 1.22.3 are affected. Systems that have a NegoEx mechanism registered in /etc/gss/mech are susceptible. The issue occurs on any platform running the affected Kerberos 5 implementation.", "description_and_impact": "The vulnerability is a NULL pointer dereference that occurs when an application invokes gss_accept_sec_context() on a Kerberos 5 system with a NegoEx mechanism registered in /etc/gss/mech. The flaw causes the process to crash during parse_nego_message, resulting in a denial of service for the affected service. The weakness is classified as CWE\u2011476 and does not provide code execution or data exfiltration capabilities. The impact is limited to service disruption.", "risk_and_exploitability": "The CVSS base score of 5.9 indicates moderate severity. EPSS information is not available, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that an unauthenticated remote attacker can trigger the flaw by sending crafted network traffic that causes a Kerberos client or server to call gss_accept_sec_context() with the vulnerable NegoEx mechanism. Because the vulnerability does not require authentication, the attack vector likely involves remote network interaction, making it potentially exploitable against exposed Kerberos services."}}}}, "created": "2026-04-28T06:30:23.880326+00:00", "title": "MIT Kerberos NULL Pointer Dereference in gss_accept_sec_context Leading to Process Termination", "updated": "2026-04-28T12:45:31.388274+00:00", "vendors": ["mit", "mit$PRODUCT$kerberos_5"]}