Description
By sending a deeply nested ASN1 structure to a Apache Kerby client or service, it's possible to trigger a StackOverFlow Exception which can lead to denial of service issues. Users are recommended to upgrade to version 2.1.2, which fixes this issue.
Published: 2026-06-26
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Sending a deeply nested ASN1 structure to an Apache Kerby client or service can trigger a StackOverflow Exception. The overflow can crash the component, resulting in a denial of service. The weakness is classified as Resource Consumption.

Affected Systems

The vulnerability affects Apache Software Foundation:Apache Kerby. All deployments running a version of Kerby older than 2.1.2 are potentially impacted. Upgrading to version 2.1.2 or later mitigates the risk.

Risk and Exploitability

EPSS is not available, and the vulnerability is not listed in the CISA KEV catalog, but the nature of a stack overflow suggests a high likelihood that an attacker can exploit the flaw. The CVSS score of 6.5 classifies the vulnerability as moderate severity. The exploit can be delivered remotely by sending a deeply nested ASN1 structure, which the Kerby component parses without depth checks. An attacker does not need local privileges, and once the stack overflows, the affected service can become unresponsive, potentially affecting users and downstream systems.

Generated by OpenCVE AI on June 26, 2026 at 15:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache Kerby to version 2.1.2 or later.
  • Restrict access to Kerby services to trusted network segments to reduce the attack surface.
  • Monitor application logs for stack overflow exceptions and configure automatic service restarts when crashes occur.

Generated by OpenCVE AI on June 26, 2026 at 15:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache kerby
Vendors & Products Apache
Apache kerby

Fri, 26 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 12:00:00 +0000

Type Values Removed Values Added
Description By sending a deeply nested ASN1 structure to a Apache Kerby client or service, it's possible to trigger a StackOverFlow Exception which can lead to denial of service issues. Users are recommended to upgrade to version 2.1.2, which fixes this issue.
Title Apache Kerby: StackOverflow on parsing deeply nested ASN1 structures
Weaknesses CWE-400
References

Subscriptions

Apache Kerby
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-06-26T18:36:16.816Z

Reserved: 2026-06-26T10:30:20.861Z

Link: CVE-2026-57914

cve-icon Vulnrichment

Updated: 2026-06-26T13:02:40.375Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T17:15:04Z

Weaknesses
  • CWE-400

    Uncontrolled Resource Consumption