Description
If an attacker causes kdcproxy to connect to an attacker-controlled KDC server (e.g. through server-side request forgery), they can exploit the fact that kdcproxy does not enforce bounds on TCP response length to conduct a denial-of-service attack. While receiving the KDC's response, kdcproxy copies the entire buffered stream into a new
buffer on each recv() call, even when the transfer is incomplete, causing excessive memory allocation and CPU usage. Additionally, kdcproxy accepts incoming response chunks as long as the received data length is not exactly equal to the length indicated in the response
header, even when individual chunks or the total buffer exceed the maximum length of a Kerberos message. This allows an attacker to send unbounded data until the connection timeout is reached (approximately 12 seconds), exhausting server memory or CPU resources. Multiple concurrent requests can cause accept queue overflow, denying service to legitimate clients.
Published: 2025-11-12
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Immediate Patch
AI Analysis

Impact

The vulnerability in Python‑kdcproxy permits a remote denial‑of‑service attack by exploiting its failure to bound the size of TCP upstream responses. When an attacker forces kdcproxy to connect to a server under their control, each recv() call copies the entire streamed data into a fresh buffer, even if the transfer is incomplete. Because no length limits are enforced, the component will allocate memory unboundedly and use excessive CPU, triggering exhaustion of server resources. kdcproxy also accepts incoming data chunks as long as their declared length does not exactly match the response header, allowing an attacker to send arbitrarily large data until the 12‑second timeout, further depleting CPU and memory. This classic uncontrolled memory allocation flaw in a security‑critical component is identified as CWE‑770.

Affected Systems

The flaw impacts Red Hat Enterprise Linux 10, RHEL 7 ELS, RHEL 8, and RHEL 9 across all standard, extended update, and advanced mission‑critical update streams, as well as the latchset:kdcproxy component. The recent errata (RHSA‑2025:21138 through RHSA‑2025:21821) replace kdcproxy with a fixed package that enforces TCP response size limits and rejects oversized chunks. Any system running a kdcproxy version prior to these updates is susceptible.

Risk and Exploitability

The CVSS score of 5.9 indicates moderate severity, while the EPSS score of <1% suggests an extremely low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. The most realistic attack path requires an attacker to cause kdcproxy to connect to an attacker‑controlled KDC, which could be achieved via server‑side request forgery or mis‑configured trusted host lists. Even though the exploitation probability is low, the impact can bring all Kerberos clients on the affected system to a halt if the denial‑of‑service succeeds.

Generated by OpenCVE AI on April 20, 2026 at 15:28 UTC.

Remediation

Vendor Workaround

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

OpenCVE Recommended Actions

  • Apply the latest Red Hat update that replaces the vulnerable kdcproxy package (RHSA‑2025:21138 through RHSA‑2025:21821).
  • Immediately restrict kdcproxy’s outbound connections to only authorized KDC servers using firewall rules or ACLs.
  • Monitor system memory and CPU usage for abnormal spikes and, if possible, disable kdcproxy or switch to the native Kerberos implementation until the patch is deployed.

Generated by OpenCVE AI on April 20, 2026 at 15:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 28 Jan 2026 20:30:00 +0000

Type Values Removed Values Added
References

Tue, 09 Dec 2025 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel Els
CPEs cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:rhel_els:7
Vendors & Products Redhat rhel Els
References

Thu, 20 Nov 2025 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel Aus
Redhat rhel Eus Long Life
Redhat rhel Tus
CPEs cpe:/a:redhat:rhel_aus:8.2::appstream
cpe:/a:redhat:rhel_aus:8.4::appstream
cpe:/a:redhat:rhel_aus:8.6::appstream
cpe:/a:redhat:rhel_e4s:8.6::appstream
cpe:/a:redhat:rhel_e4s:8.8::appstream
cpe:/a:redhat:rhel_e4s:9.0::appstream
cpe:/a:redhat:rhel_eus_long_life:8.4::appstream
cpe:/a:redhat:rhel_tus:8.6::appstream
cpe:/a:redhat:rhel_tus:8.8::appstream
Vendors & Products Redhat rhel Aus
Redhat rhel Eus Long Life
Redhat rhel Tus
References

Wed, 19 Nov 2025 08:30:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:rhel_eus:9.4::appstream
References

Mon, 17 Nov 2025 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel E4s
CPEs cpe:/a:redhat:rhel_e4s:9.2::appstream
Vendors & Products Redhat rhel E4s
References

Thu, 13 Nov 2025 00:15:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:enterprise_linux:8
cpe:/a:redhat:enterprise_linux:9
cpe:/a:redhat:rhel_eus:9.6
References
Metrics threat_severity

None

 threat_severity

Moderate

Wed, 12 Nov 2025 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat enterprise Linux Eus
Redhat rhel Eus
CPEs cpe:/o:redhat:enterprise_linux:10
cpe:/o:redhat:enterprise_linux:8
cpe:/o:redhat:enterprise_linux:9		 cpe:/a:redhat:enterprise_linux:8::appstream
cpe:/a:redhat:enterprise_linux:9::appstream
cpe:/a:redhat:rhel_eus:9.6::appstream
cpe:/o:redhat:enterprise_linux:10.1
cpe:/o:redhat:enterprise_linux_eus:10.0
Vendors & Products Redhat enterprise Linux Eus
Redhat rhel Eus
References

Wed, 12 Nov 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 12 Nov 2025 15:15:00 +0000

Type Values Removed Values Added
Description If an attacker causes kdcproxy to connect to an attacker-controlled KDC server (e.g. through server-side request forgery), they can exploit the fact that kdcproxy does not enforce bounds on TCP response length to conduct a denial-of-service attack. While receiving the KDC's response, kdcproxy copies the entire buffered stream into a new buffer on each recv() call, even when the transfer is incomplete, causing excessive memory allocation and CPU usage. Additionally, kdcproxy accepts incoming response chunks as long as the received data length is not exactly equal to the length indicated in the response header, even when individual chunks or the total buffer exceed the maximum length of a Kerberos message. This allows an attacker to send unbounded data until the connection timeout is reached (approximately 12 seconds), exhausting server memory or CPU resources. Multiple concurrent requests can cause accept queue overflow, denying service to legitimate clients.
Title Python-kdcproxy: remote dos via unbounded tcp upstream buffering
First Time appeared Redhat
Redhat enterprise Linux
Weaknesses CWE-770
CPEs cpe:/o:redhat:enterprise_linux:10
cpe:/o:redhat:enterprise_linux:7
cpe:/o:redhat:enterprise_linux:8
cpe:/o:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat enterprise Linux
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Redhat Enterprise Linux Enterprise Linux Eus Rhel Aus Rhel E4s Rhel Els Rhel Eus Rhel Eus Long Life Rhel Tus
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-04-20T08:28:22.249Z

Reserved: 2025-09-08T21:43:30.846Z

Link: CVE-2025-59089

cve-icon Vulnrichment

Updated: 2026-01-28T19:36:03.531Z

cve-icon NVD

Status : Deferred

Published: 2025-11-12T17:15:38.360

Modified: 2026-04-20T09:16:08.537

Link: CVE-2025-59089

cve-icon Redhat

Severity : Moderate

Publid Date: 2025-11-12T00:00:00Z

Links: CVE-2025-59089 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T15:30:06Z

Weaknesses