{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-40356", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-28T13:10:24.842Z", "dateReserved": "2026-04-11T00:00:00.000Z", "datePublished": "2026-04-28T00:00:00.000Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Kerberos 5", "vendor": "MIT", "versions": [{"lessThan": "1.22.3", "status": "affected", "version": "1.18", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "In MIT Kerberos 5 (aka krb5) before 1.22.3, there is an integer underflow and resultant out-of-bounds read if an application calls gss_accept_sec_context() on a system with a NegoEx mechanism registered in /etc/gss/mech. An unauthenticated remote attacker can trigger this, possibly causing the process to terminate in parse_message."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-191", "description": "CWE-191 Integer Underflow (Wrap or Wraparound)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-28T05:23:13.610Z"}, "references": [{"url": "https://web.mit.edu/kerberos/advisories/"}, {"url": "https://cems.fun/2026/04/27/krb5-two-unauthenticated-network-vulnerabilities.html"}, {"url": "https://github.com/krb5/krb5/commit/2e75f0d9362fb979f5fc92829431a590a130929f"}], "x_generator": {"engine": "enrichogram 0.0.1"}, "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:mit:kerberos_5:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.18", "versionEndExcluding": "1.22.3"}]}]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-28T13:10:05.740836Z", "id": "CVE-2026-40356", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T13:10:24.842Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-40356", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-28T13:10:24.842Z", "dateReserved": "2026-04-11T00:00:00.000Z", "datePublished": "2026-04-28T00:00:00.000Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Kerberos 5", "vendor": "MIT", "versions": [{"lessThan": "1.22.3", "status": "affected", "version": "1.18", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "In MIT Kerberos 5 (aka krb5) before 1.22.3, there is an integer underflow and resultant out-of-bounds read if an application calls gss_accept_sec_context() on a system with a NegoEx mechanism registered in /etc/gss/mech. An unauthenticated remote attacker can trigger this, possibly causing the process to terminate in parse_message."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-191", "description": "CWE-191 Integer Underflow (Wrap or Wraparound)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-28T05:23:13.610Z"}, "references": [{"url": "https://web.mit.edu/kerberos/advisories/"}, {"url": "https://cems.fun/2026/04/27/krb5-two-unauthenticated-network-vulnerabilities.html"}, {"url": "https://github.com/krb5/krb5/commit/2e75f0d9362fb979f5fc92829431a590a130929f"}], "x_generator": {"engine": "enrichogram 0.0.1"}, "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:mit:kerberos_5:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.18", "versionEndExcluding": "1.22.3"}]}]}]}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40356", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-28T13:10:05.740836Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T13:10:18.299Z"}}]}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In MIT Kerberos 5 (aka krb5) before 1.22.3, there is an integer underflow and resultant out-of-bounds read if an application calls gss_accept_sec_context() on a system with a NegoEx mechanism registered in /etc/gss/mech. An unauthenticated remote attacker can trigger this, possibly causing the process to terminate in parse_message."}], "id": "CVE-2026-40356", "lastModified": "2026-04-28T20:11:56.713", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "cve@mitre.org", "type": "Secondary"}]}, "published": "2026-04-28T07:16:03.197", "references": [{"source": "cve@mitre.org", "url": "https://cems.fun/2026/04/27/krb5-two-unauthenticated-network-vulnerabilities.html"}, {"source": "cve@mitre.org", "url": "https://github.com/krb5/krb5/commit/2e75f0d9362fb979f5fc92829431a590a130929f"}, {"source": "cve@mitre.org", "url": "https://web.mit.edu/kerberos/advisories/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-191"}], "source": "cve@mitre.org", "type": "Primary"}]}

{"bugzilla": {"description": "krb5: MIT Kerberos 5 (krb5): Denial of Service via integer underflow and out-of-bounds read", "id": "2463368", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2463368"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.9", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-191", "details": ["A flaw was found in MIT Kerberos 5 (krb5). An unauthenticated remote attacker can exploit an integer underflow and an out-of-bounds read vulnerability by calling `gss_accept_sec_context()` on a system with a NegoEx mechanism registered. This can lead to the process terminating, resulting in a Denial of Service (DoS)."], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, ensure that the NegoEx mechanism is not registered in the `/etc/gss/mech` configuration file. Removing the corresponding entry from this file will prevent the vulnerable code path from being activated. This action may impact services that rely on the NegoEx GSS-API mechanism. A restart of affected Kerberos-dependent services may be required for the change to take effect."}, "name": "CVE-2026-40356", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "krb5", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Fix deferred", "package_name": "krb5", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "krb5", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "krb5", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "krb5", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:hummingbird:1", "fix_state": "Fix deferred", "package_name": "krb5", "product_name": "Red Hat Hardened Images"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "rhcos", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2026-04-28T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-40356\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-40356\nhttps://cems.fun/2026/04/27/krb5-two-unauthenticated-network-vulnerabilities.html\nhttps://github.com/krb5/krb5/commit/2e75f0d9362fb979f5fc92829431a590a130929f\nhttps://web.mit.edu/kerberos/advisories/"], "statement": "An Important denial of service vulnerability exists in MIT Kerberos 5, allowing an unauthenticated remote attacker to terminate processes. This occurs on systems where the NegoEx mechanism is registered and an application invokes `gss_accept_sec_context()`, leading to an integer underflow and out-of-bounds read.", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[1.18,1.22.3)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "kerberos_5", "vendor": "mit"}], "analysis": {"en": {"generated_at": "2026-04-28T19:35:36.575179+00:00", "value": {"mitigation_remediation": ["Upgrade Kerberos to version 1.22.3 or later, which contains the fix for the integer underflow.", "If an upgrade is not immediately possible, remove the NegoEx mechanism entry from /etc/gss/mech or rename the directory so that the Kerberos libraries do not load it, thereby preventing the underflow condition.", "After modifying configuration or updating the package, restart all Kerberos\u2011related services to ensure the changes take effect."], "summary": {"action": "Immediate Patch", "impact": "Out\u2011of\u2011Bounds Read and Process Termination"}, "threat_synthesis": {"affected_systems": "The vulnerability impacts installations of MIT Kerberos 5 prior to version 1.22.3. Systems that load or register the NegoEx mechanism from /etc/gss/mech are susceptible, regardless of the specific Kerberos service (e.g., KDC, krb5kdc, or client authentication).", "description_and_impact": "An integer underflow in the gss_accept_sec_context() function of MIT Kerberos 5 allows an unauthenticated attacker to trigger an out\u2011of\u2011bounds read when the NegoEx mechanism is registered via /etc/gss/mech. This can cause the process handling the request to terminate during parse_message, leading to a denial of service for the affected Kerberos service. The weakness is identified as CWE\u2011191, which describes integer conversion errors that may result in buffer overruns or truncation.", "risk_and_exploitability": "The CVSS score is 5.9, indicating a moderate severity. No EPSS score is available, but the vulnerability can be triggered without authentication over the network, implying that an attacker with network access to the Kerberos server could abuse it. The vulnerability is not listed in CISA KEV at this time, although the lack of exploitation evidence does not preclude future use. The surface is limited to machines configured with NegoEx; disabling that mechanism reduces risk."}}}}, "created": "2026-04-28T07:30:26.019954+00:00", "title": "Integer Underflow in gss_accept_sec_context() Allows Unauthenticated RDoS on Kerberos 5", "updated": "2026-04-28T19:45:07.590604+00:00", "vendors": ["mit", "mit$PRODUCT$kerberos_5"]}