cbcvebase.
CVE-2021-36222
published 2021-07-22

CVE-2021-36222: ec_verify in kdc/kdc_preauth_ec.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.18.4 and 1.19.x before 1.19.2 allows remote…

PriorityP343high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
10.28%
95.1th percentile
ec_verify in kdc/kdc_preauth_ec.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.18.4 and 1.19.x before 1.19.2 allows remote attackers to cause a NULL pointer dereference and daemon crash. This occurs because a return value is not properly managed in a certain situation.

Affected

13 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debiankrb5< krb5 1.18.3-6 (bookworm)krb5 1.18.3-6 (bookworm)
mitkerberos_5< 1.18.41.18.4
mitkerberos_5>= 1.19.0 < 1.19.21.19.2
mitkrb5>= 0 < 1.18.3-61.18.3-6
mitkrb5>= 0 < 1.18.3-61.18.3-6
mitkrb5>= 0 < 1.18.3-61.18.3-6
mitkrb5>= 0 < 1.18.3-61.18.3-6
mitkrb5>= 0 < 1.16-2ubuntu0.41.16-2ubuntu0.4
mitkrb5>= 0 < 1.17-6ubuntu4.31.17-6ubuntu4.3
msrccbl2_krb5_1.19.2-1_on_cbl_mariner_2.0
msrccm1_krb5_1.18.4-1_on_cbl_mariner_1.0
oraclemysql_server8.0.0 – 8.0.26

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv7.5HIGH
vendor_debian7.5HIGH
vendor_msrc7.5HIGH
vendor_oracle7.5HIGH
vendor_redhat7.5HIGH
vendor_ubuntu7.5HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.