CVE-2026-40356 - Vulnerability Details

- krb5: MIT Kerberos 5 (krb5): Denial of Service via integer underflow and out-of-bounds read

Description

In MIT Kerberos 5 (aka krb5) before 1.22.3, there is an integer underflow and resultant out-of-bounds read if an application calls gss_accept_sec_context() on a system with a NegoEx mechanism registered in /etc/gss/mech. An unauthenticated remote attacker can trigger this, possibly causing the process to terminate in parse_message.

Published: 2026-04-28

Score: 5.9 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

An integer underflow in the gss_accept_sec_context() function of MIT Kerberos 5 allows an unauthenticated attacker to trigger an out‑of‑bounds read when the NegoEx mechanism is registered via /etc/gss/mech. This can cause the process handling the request to terminate during parse_message, leading to a denial of service for the affected Kerberos service. The weakness is identified as CWE‑191, which describes integer conversion errors that may result in buffer overruns or truncation.

Affected Systems

The vulnerability impacts installations of MIT Kerberos 5 prior to version 1.22.3. Systems that load or register the NegoEx mechanism from /etc/gss/mech are susceptible, regardless of the specific Kerberos service (e.g., KDC, krb5kdc, or client authentication).

Risk and Exploitability

The CVSS score is 5.9, indicating a moderate severity. No EPSS score is available, but the vulnerability can be triggered without authentication over the network, implying that an attacker with network access to the Kerberos server could abuse it. The vulnerability is not listed in CISA KEV at this time, although the lack of exploitation evidence does not preclude future use. The surface is limited to machines configured with NegoEx; disabling that mechanism reduces risk.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

MIT

Kerberos 5

unaffected

Version	Status	Constraints
`1.18`	affected	< 1.22.3

No data.

Vendor Product Confidence Versions

Mit

Kerberos 5

95%

Version	Status	Scheme	Platform
`[1.18,1.22.3)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Kerberos to version 1.22.3 or later, which contains the fix for the integer underflow.
If an upgrade is not immediately possible, remove the NegoEx mechanism entry from /etc/gss/mech or rename the directory so that the Kerberos libraries do not load it, thereby preventing the underflow condition.
After modifying configuration or updating the package, restart all Kerberos‑related services to ensure the changes take effect.

Generated by OpenCVE AI on April 28, 2026 at 19:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00099.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://cems.fun/2026/04/27/krb5-two-unauthenticated-network-vulnerabilities.html
https://github.com/krb5/krb5/commit/2e75f0d9362fb979f5fc92829431a590a130929f
https://nvd.nist.gov/vuln/detail/CVE-2026-40356
https://web.mit.edu/kerberos/advisories/
https://www.cve.org/CVERecord?id=CVE-2026-40356

History

Tue, 28 Apr 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 28 Apr 2026 12:15:00 +0000

Type	Values Removed	Values Added
Title		krb5: MIT Kerberos 5 (krb5): Denial of Service via integer underflow and out-of-bounds read
References		https://nvd.nist.gov/vuln/detail/CVE-2026-40356 https://www.cve.org/CVERecord?id=CVE-2026-40356
Metrics	threat_severity `None`	threat_severity `Important`

Tue, 28 Apr 2026 06:30:00 +0000

Type	Values Removed	Values Added
Description		In MIT Kerberos 5 (aka krb5) before 1.22.3, there is an integer underflow and resultant out-of-bounds read if an application calls gss_accept_sec_context() on a system with a NegoEx mechanism registered in /etc/gss/mech. An unauthenticated remote attacker can trigger this, possibly causing the process to terminate in parse_message.
First Time appeared		Mit Mit kerberos 5
Weaknesses		CWE-191
CPEs		cpe:2.3:a:mit:kerberos_5::::::::
Vendors & Products		Mit Mit kerberos 5
References		https://cems.fun/2026/04/27/krb5-two-unauthenticated-network-vulnerabilities.html https://github.com/krb5/krb5/commit/2e75f0d9362fb979f5fc92829431a590a130929f https://web.mit.edu/kerberos/advisories/
Metrics		cvssV3_1 `{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}`

Subscriptions

Mit Kerberos 5

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-04-28T00:00:00.000Z

Updated: 2026-04-28T13:10:24.842Z

Reserved: 2026-04-11T00:00:00.000Z

Link: CVE-2026-40356

Vulnrichment

Updated: 2026-04-28T13:10:18.299Z

NVD

Status : Awaiting Analysis

Published: 2026-04-28T07:16:03.197

Modified: 2026-04-28T20:11:56.713

Link: CVE-2026-40356

Redhat

Severity : Important

Publid Date: 2026-04-28T00:00:00Z

Links: CVE-2026-40356 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-28T19:45:07Z

Weaknesses

CWE-191

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object