Greg Hudson

16 exploits Active since May 2015
CVE-2026-40356 WRITEUP MEDIUM WRITEUP
MIT Kerberos 5 < 1.22.3 - Out-of-Bounds Access
In MIT Kerberos 5 (aka krb5) before 1.22.3, there is an integer underflow and resultant out-of-bounds read if an application calls gss_accept_sec_context() on a system with a NegoEx mechanism registered in /etc/gss/mech. An unauthenticated remote attacker can trigger this, possibly causing the process to terminate in parse_message.
CVSS 5.9
CVE-2026-40355 WRITEUP MEDIUM WRITEUP
MIT Kerberos 5 < 1.22.3 - NULL Pointer Dereference
In MIT Kerberos 5 (aka krb5) before 1.22.3, there is a NULL pointer dereference if an application calls gss_accept_sec_context() on a system with a NegoEx mechanism registered in /etc/gss/mech. An unauthenticated remote attacker can trigger this, causing the process to terminate in parse_nego_message.
CVSS 5.9
CVE-2015-2694 WRITEUP WRITEUP
MIT Kerberos 5 - Access Control
The kdcpreauth modules in MIT Kerberos 5 (aka krb5) 1.12.x and 1.13.x before 1.13.2 do not properly track whether a client's request has been validated, which allows remote attackers to bypass an intended preauthentication requirement by providing (1) zero bytes of data or (2) an arbitrary realm name, related to plugins/preauth/otp/main.c and plugins/preauth/pkinit/pkinit_srv.c.
CVE-2015-2697 WRITEUP WRITEUP
MIT Kerberos 5 < 1.14 - Out-of-Bounds Read
The build_principal_va function in lib/krb5/krb/bld_princ.c in MIT Kerberos 5 (aka krb5) before 1.14 allows remote authenticated users to cause a denial of service (out-of-bounds read and KDC crash) via an initial '\0' character in a long realm field within a TGS request.
CVE-2015-2698 WRITEUP WRITEUP
MIT Kerberos 5 - Memory Corruption
The iakerb_gss_export_sec_context function in lib/gssapi/krb5/iakerb.c in MIT Kerberos 5 (aka krb5) 1.14 pre-release 2015-09-14 improperly accesses a certain pointer, which allows remote authenticated users to cause a denial of service (memory corruption) or possibly have unspecified other impact by interacting with an application that calls the gss_export_sec_context function. NOTE: this vulnerability exists because of an incorrect fix for CVE-2015-2696.
CVE-2017-11368 WRITEUP MEDIUM WRITEUP
Fedora - Reachable Assertion
In MIT Kerberos 5 (aka krb5) 1.7 and later, an authenticated attacker can cause a KDC assertion failure by sending invalid S4U2Self or S4U2Proxy requests.
CVSS 6.5
CVE-2017-11462 WRITEUP CRITICAL WRITEUP
MIT Kerberos 5 - Memory Corruption
Double free vulnerability in MIT Kerberos 5 (aka krb5) allows attackers to have unspecified impact via vectors involving automatic deletion of security contexts on error.
CVSS 9.8
CVE-2017-15088 WRITEUP CRITICAL WRITEUP
MIT Kerberos 5 < 1.15.2 - Memory Corruption
plugins/preauth/pkinit/pkinit_crypto_openssl.c in MIT Kerberos 5 (aka krb5) through 1.15.2 mishandles Distinguished Name (DN) fields, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application crash) in situations involving untrusted X.509 data, related to the get_matching_data and X509_NAME_oneline_ex functions. NOTE: this has security relevance only in use cases outside of the MIT Kerberos distribution, e.g., the use of get_matching_data in KDC certauth plugin code that is specific to Red Hat.
CVSS 9.8
CVE-2018-5729 WRITEUP MEDIUM WRITEUP
MIT krb5 <1.6 - DoS
MIT krb5 1.6 or later allows an authenticated kadmin with permission to add principals to an LDAP Kerberos database to cause a denial of service (NULL pointer dereference) or bypass a DN container check by supplying tagged data that is internal to the database module.
CVSS 4.7
CVE-2018-5730 WRITEUP LOW WRITEUP
MIT krb5 1.6+ - Privilege Escalation
MIT krb5 1.6 or later allows an authenticated kadmin with permission to add principals to an LDAP Kerberos database to circumvent a DN containership check by supplying both a "linkdn" and "containerdn" database argument, or by supplying a DN string which is a left extension of a container DN string but is not hierarchically within the container DN.
CVSS 3.8
CVE-2020-28196 WRITEUP HIGH WRITEUP
MIT Kerberos <1.17.2, <1.18.x-1.18.3 - RCE
MIT Kerberos 5 (aka krb5) before 1.17.2 and 1.18.x before 1.18.3 allows unbounded recursion via an ASN.1-encoded Kerberos message because the lib/krb5/asn.1/asn1_encode.c support for BER indefinite lengths lacks a recursion limit.
CVSS 7.5
CVE-2021-37750 WRITEUP MEDIUM WRITEUP
MIT Kerberos 5 < 1.18.5 - NULL Pointer Dereference
The Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.18.5 and 1.19.x before 1.19.3 has a NULL pointer dereference in kdc/do_tgs_req.c via a FAST inner body that lacks a server field.
CVSS 6.5
CVE-2022-42898 WRITEUP HIGH WRITEUP
MIT Kerberos 5 < 1.19.4 - Integer Overflow
PAC parsing in MIT Kerberos 5 (aka krb5) before 1.19.4 and 1.20.x before 1.20.1 has integer overflows that may lead to remote code execution (in KDC, kadmind, or a GSS or Kerberos application server) on 32-bit platforms (which have a resultant heap-based buffer overflow), and cause a denial of service on other platforms. This occurs in krb5_pac_parse in lib/krb5/krb/pac.c. Heimdal before 7.7.1 has "a similar bug."
CVSS 8.8
CVE-2023-36054 WRITEUP MEDIUM WRITEUP
MIT Kerberos 5 <1.20.2, <1.21.1 - Use After Free
lib/kadm5/kadm_rpc_xdr.c in MIT Kerberos 5 (aka krb5) before 1.20.2 and 1.21.x before 1.21.1 frees an uninitialized pointer. A remote authenticated user can trigger a kadmind crash. This occurs because _xdr_kadm5_principal_ent_rec does not validate the relationship between n_key_data and the key_data array count.
CVSS 6.5
CVE-2024-37370 WRITEUP HIGH WRITEUP
MIT Kerberos 5 < 1.21.3 - Data Authenticity Bypass
In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can modify the plaintext Extra Count field of a confidential GSS krb5 wrap token, causing the unwrapped token to appear truncated to the application.
CVSS 7.5
CVE-2024-37371 WRITEUP CRITICAL WRITEUP
MIT Kerberos 5 < 1.21.3 - Out-of-Bounds Read
In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can cause invalid memory reads during GSS message token handling by sending message tokens with invalid length fields.
CVSS 9.1