Description
An integer underflow vulnerability was found in MIT krb5 in the berval2tl_data() function in plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c. The function performs an unsigned subtraction (bv_len - 2) without a prior bounds check. When bv_len is 0 or 1, the subtraction wraps to a large value which is then truncated to uint16_t, yielding 0xFFFE (65534) or 0xFFFF (65535). The subsequent malloc succeeds and memcpy reads up to 65534 bytes from a 0-1 byte buffer, resulting in a heap out-of-bounds read.
The attack vector involves a malicious or compromised LDAP KDB backend returning a krbExtraData attribute with bv_len < 2, triggering the underflow when the KDC or kadmind reads principal data.
Published: 2026-06-11
Score: 5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An integer underflow occurs in the berval2tl_data() function of MIT krb5, from which the library blindly subtracts 2 from a length value that may be zero or one. The subtraction wraps to a large number, the result is truncated to a 16‑bit value, and a malloc followed by a memcpy reads up to 65534 bytes from a buffer that actually contains one or fewer bytes. This heap out‑of‑bounds read can expose data residing in adjacent memory and may allow an attacker to gather sensitive information. The weakness is a classic integer underflow (CWE‑191).

Affected Systems

The vulnerability surfaces in all Red Hat‑maintained products that ship the MIT krb5 implementation, including Red Hat Enterprise Linux 6 through 10, Red Hat Hardened Images, and Red Hat OpenShift Container Platform 4. No specific minor version constraints are listed, so any release that contains the affected krb5 library is considered vulnerable.

Risk and Exploitability

The CVSS score is 5, categorizing the flaw as medium severity, and the EPSS score is unavailable. The vulnerability is not listed in the CISA KEV catalog. The attack requires a malicious or compromised LDAP KDB backend that can return a krbExtraData attribute with a length less than two. When a KDC or kadmind reads principal data, the underflow is triggered. Thus the exploitation vector hinges on the ability to manipulate LDAP attributes, which typically demands privileged or administrative access to the LDAP server rather than a publicly reachable network interface.

Generated by OpenCVE AI on June 11, 2026 at 11:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Red Hat security patch for CVE‑2026‑11850 on RHEL 6–10, RHEL Hardened Images, and OpenShift 4 as listed at https://access.redhat.com/security/cve/CVE-2026-11850.
  • If the patch is not yet available for a particular platform, restrict the LDAP KDB backend so that it cannot supply a krbExtraData attribute with a length below two, or otherwise limit write access to attributes used by krb5.
  • Implement monitoring of LDAP traffic to detect anomalous krbExtraData attributes or unusually large buffer reads, and trigger alerts when such patterns are observed.

Generated by OpenCVE AI on June 11, 2026 at 11:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 11 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 11 Jun 2026 10:00:00 +0000

Type Values Removed Values Added
Description An integer underflow vulnerability was found in MIT krb5 in the berval2tl_data() function in plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c. The function performs an unsigned subtraction (bv_len - 2) without a prior bounds check. When bv_len is 0 or 1, the subtraction wraps to a large value which is then truncated to uint16_t, yielding 0xFFFE (65534) or 0xFFFF (65535). The subsequent malloc succeeds and memcpy reads up to 65534 bytes from a 0-1 byte buffer, resulting in a heap out-of-bounds read. The attack vector involves a malicious or compromised LDAP KDB backend returning a krbExtraData attribute with bv_len < 2, triggering the underflow when the KDC or kadmind reads principal data.
Title Krb5: krb5: integer underflow in berval2tl_data() leads to heap out-of-bounds read
First Time appeared Redhat
Redhat enterprise Linux
Redhat hummingbird
Redhat openshift
Weaknesses CWE-191
CPEs cpe:/a:redhat:hummingbird:1
cpe:/a:redhat:openshift:4
cpe:/o:redhat:enterprise_linux:10
cpe:/o:redhat:enterprise_linux:6
cpe:/o:redhat:enterprise_linux:7
cpe:/o:redhat:enterprise_linux:8
cpe:/o:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat enterprise Linux
Redhat hummingbird
Redhat openshift
References
Metrics cvssV3_1

{'score': 5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:H'}

Subscriptions

Redhat Enterprise Linux Hummingbird Openshift
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-06-11T12:37:05.721Z

Reserved: 2026-06-10T08:12:34.560Z

Link: CVE-2026-11850

cve-icon Vulnrichment

Updated: 2026-06-11T12:36:51.179Z

cve-icon NVD

Status : Received

Published: 2026-06-11T10:16:21.217

Modified: 2026-06-11T10:16:21.217

Link: CVE-2026-11850

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T11:30:06Z

Weaknesses
  • CWE-191

    Integer Underflow (Wrap or Wraparound)