CVE-2014-4343Double Free in Kerberos 5

CWE-415Double FreeCWE-416Use After Free10 documents8 sources
Severity
7.6HIGHNVD
EPSS
7.4%
top 8.25%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
7
MIT Krb5Debian LinuxMIT Kerberos 5+4 more
Timeline
PublishedAug 14
Latest updateMay 13

Description

Double free vulnerability in the init_ctx_reselect function in the SPNEGO initiator in lib/gssapi/spnego/spnego_mech.c in MIT Kerberos 5 (aka krb5) 1.10.x through 1.12.x before 1.12.2 allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via network traffic that appears to come from an intended acceptor, but specifies a security mechanism different from the one proposed by the initiator.

CVSS vector

AV:N/AC:H/C:C/I:C/A:CExploitability: 4.9 | Impact: 10.0

Affected Packages6 packages

Debianmit/krb5< 1.12.1+dfsg-5+3
NVDmit/kerberos_513 versions+12

Also affects: Debian Linux 7.0

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

3
GHSA
GHSA-cmrr-h89w-fc55: Double free vulnerability in the init_ctx_reselect function in the SPNEGO initiator in lib/gssapi/spnego/spnego_mech2022-05-13
CVEList
CVE-2014-4343: Double free vulnerability in the init_ctx_reselect function in the SPNEGO initiator in lib/gssapi/spnego/spnego_mech2014-08-14
OSV
CVE-2014-4343: Double free vulnerability in the init_ctx_reselect function in the SPNEGO initiator in lib/gssapi/spnego/spnego_mech2014-08-14

📋Vendor Advisories

3
Ubuntu
Kerberos vulnerabilities2014-08-11
Red Hat
krb5: double-free flaw in SPNEGO initiators2014-07-15
Debian
CVE-2014-4343: krb5 - Double free vulnerability in the init_ctx_reselect function in the SPNEGO initia...2014

💬Community

3
Bugzilla
CVE-2014-4343 CVE-2014-4344 krb5: various flaws [fedora-all]2014-07-22
Bugzilla
CVE-2014-4343 krb5: double-free flaw in SPNEGO initiators2014-07-22
Bugzilla
CVE-2014-4343: use-after-free crash in SPNEGO2014-07-21
CVE-2014-4343 — Double Free in MIT Kerberos 5 | cvebase