Greg Hudson

17 exploits Active since Aug 2014
CVE-2014-4344 WRITEUP WRITEUP
MIT Kerberos 5 <1.12.2 - DoS
The acc_ctx_cont function in the SPNEGO acceptor in lib/gssapi/spnego/spnego_mech.c in MIT Kerberos 5 (aka krb5) 1.5.x through 1.12.x before 1.12.2 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an empty continuation token at a certain point during a SPNEGO negotiation.
CVE-2026-40356 WRITEUP MEDIUM WRITEUP
MIT Kerberos 5 1.18-<1.22.3 - Unauthenticated Integer Underflow via NegoEx Mechanism
In MIT Kerberos 5 (aka krb5) before 1.22.3, there is an integer underflow and resultant out-of-bounds read if an application calls gss_accept_sec_context() on a system with a NegoEx mechanism registered in /etc/gss/mech. An unauthenticated remote attacker can trigger this, possibly causing the process to terminate in parse_message.
CVSS 5.9
CVE-2026-40355 WRITEUP MEDIUM WRITEUP
MIT Kerberos 5 1.18-<1.22.3 - Unauthenticated NULL Pointer Dereference via NegoEx Mechanism
In MIT Kerberos 5 (aka krb5) before 1.22.3, there is a NULL pointer dereference if an application calls gss_accept_sec_context() on a system with a NegoEx mechanism registered in /etc/gss/mech. An unauthenticated remote attacker can trigger this, causing the process to terminate in parse_nego_message.
CVSS 5.9
CVE-2015-2694 WRITEUP WRITEUP
MIT Kerberos 5 1.12.x-1.13.x - Preauthentication Bypass via Zero Bytes or Arbitrary Realm
The kdcpreauth modules in MIT Kerberos 5 (aka krb5) 1.12.x and 1.13.x before 1.13.2 do not properly track whether a client's request has been validated, which allows remote attackers to bypass an intended preauthentication requirement by providing (1) zero bytes of data or (2) an arbitrary realm name, related to plugins/preauth/otp/main.c and plugins/preauth/pkinit/pkinit_srv.c.
CVE-2015-2697 WRITEUP WRITEUP
MIT Kerberos 5 < 1.14 - Authenticated Denial of Service via TGS Request Realm Field
The build_principal_va function in lib/krb5/krb/bld_princ.c in MIT Kerberos 5 (aka krb5) before 1.14 allows remote authenticated users to cause a denial of service (out-of-bounds read and KDC crash) via an initial '\0' character in a long realm field within a TGS request.
CVE-2015-2698 WRITEUP WRITEUP
MIT Kerberos 5 1.14 pre-release 2015-09-14 - Authenticated Memory Corruption via gss_export_sec_context Function
The iakerb_gss_export_sec_context function in lib/gssapi/krb5/iakerb.c in MIT Kerberos 5 (aka krb5) 1.14 pre-release 2015-09-14 improperly accesses a certain pointer, which allows remote authenticated users to cause a denial of service (memory corruption) or possibly have unspecified other impact by interacting with an application that calls the gss_export_sec_context function. NOTE: this vulnerability exists because of an incorrect fix for CVE-2015-2696.
CVE-2017-11368 WRITEUP MEDIUM WRITEUP
Fedora - Reachable Assertion
In MIT Kerberos 5 (aka krb5) 1.7 and later, an authenticated attacker can cause a KDC assertion failure by sending invalid S4U2Self or S4U2Proxy requests.
CVSS 6.5
CVE-2017-11462 WRITEUP CRITICAL WRITEUP
MIT Kerberos 5 - Double Free via Security Context Deletion on Error
Double free vulnerability in MIT Kerberos 5 (aka krb5) allows attackers to have unspecified impact via vectors involving automatic deletion of security contexts on error.
CVSS 9.8
CVE-2017-15088 WRITEUP CRITICAL WRITEUP
MIT Kerberos 5 < 1.15.2 - Remote Code Execution via DN Field Buffer Overflow
plugins/preauth/pkinit/pkinit_crypto_openssl.c in MIT Kerberos 5 (aka krb5) through 1.15.2 mishandles Distinguished Name (DN) fields, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application crash) in situations involving untrusted X.509 data, related to the get_matching_data and X509_NAME_oneline_ex functions. NOTE: this has security relevance only in use cases outside of the MIT Kerberos distribution, e.g., the use of get_matching_data in KDC certauth plugin code that is specific to Red Hat.
CVSS 9.8
CVE-2018-5729 WRITEUP MEDIUM WRITEUP
MIT Kerberos 5 >= 1.6 - Authenticated Denial of Service via Tagged Data in LDAP Database Module
MIT krb5 1.6 or later allows an authenticated kadmin with permission to add principals to an LDAP Kerberos database to cause a denial of service (NULL pointer dereference) or bypass a DN container check by supplying tagged data that is internal to the database module.
CVSS 4.7
CVE-2018-5730 WRITEUP LOW WRITEUP
MIT krb5 1.6+ - Privilege Escalation
MIT krb5 1.6 or later allows an authenticated kadmin with permission to add principals to an LDAP Kerberos database to circumvent a DN containership check by supplying both a "linkdn" and "containerdn" database argument, or by supplying a DN string which is a left extension of a container DN string but is not hierarchically within the container DN.
CVSS 3.8
CVE-2020-28196 WRITEUP HIGH WRITEUP
MIT Kerberos <1.17.2, <1.18.x-1.18.3 - RCE
MIT Kerberos 5 (aka krb5) before 1.17.2 and 1.18.x before 1.18.3 allows unbounded recursion via an ASN.1-encoded Kerberos message because the lib/krb5/asn.1/asn1_encode.c support for BER indefinite lengths lacks a recursion limit.
CVSS 7.5
CVE-2021-37750 WRITEUP MEDIUM WRITEUP
MIT Kerberos 5 < 1.18.5 and 1.19.x < 1.19.3 - NULL Pointer Dereference in KDC FAST Inner Body
The Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.18.5 and 1.19.x before 1.19.3 has a NULL pointer dereference in kdc/do_tgs_req.c via a FAST inner body that lacks a server field.
CVSS 6.5
CVE-2022-42898 WRITEUP HIGH WRITEUP
MIT Kerberos 5 < 1.19.4/1.20.x < 1.20.1 - RCE & DoS via PAC Parsing Integer Overflow
PAC parsing in MIT Kerberos 5 (aka krb5) before 1.19.4 and 1.20.x before 1.20.1 has integer overflows that may lead to remote code execution (in KDC, kadmind, or a GSS or Kerberos application server) on 32-bit platforms (which have a resultant heap-based buffer overflow), and cause a denial of service on other platforms. This occurs in krb5_pac_parse in lib/krb5/krb/pac.c. Heimdal before 7.7.1 has "a similar bug."
CVSS 8.8
CVE-2023-36054 WRITEUP MEDIUM WRITEUP
MIT Kerberos 5 <1.20.2, <1.21.1 - Use After Free
lib/kadm5/kadm_rpc_xdr.c in MIT Kerberos 5 (aka krb5) before 1.20.2 and 1.21.x before 1.21.1 frees an uninitialized pointer. A remote authenticated user can trigger a kadmind crash. This occurs because _xdr_kadm5_principal_ent_rec does not validate the relationship between n_key_data and the key_data array count.
CVSS 6.5
CVE-2024-37370 WRITEUP HIGH WRITEUP
MIT Kerberos 5 < 1.21.3 - Insufficient Verification of Data Authenticity in GSS krb5 Wrap Token
In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can modify the plaintext Extra Count field of a confidential GSS krb5 wrap token, causing the unwrapped token to appear truncated to the application.
CVSS 7.5
CVE-2024-37371 WRITEUP CRITICAL WRITEUP
MIT Kerberos 5 < 1.21.3 - Out-of-bounds Read via GSS Message Token Length Field
In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can cause invalid memory reads during GSS message token handling by sending message tokens with invalid length fields.
CVSS 9.1