cbcvebase.

Mit Kerberos 5 vulnerabilities

135 known vulnerabilities affecting mit/kerberos_5.

Total CVEs
135
CISA KEV
0
Public exploits
5
Exploited in wild
2
Severity breakdown
CRITICAL32HIGH35MEDIUM58LOW10

Vulnerabilities

Page 3 of 7
CVE-2000-0391P3CRITICALCVSS 10.0v1.0v1.1.12000-05-16
CVE-2000-0391 [CRITICAL] CVE-2000-0391: Buffer overflow in krshd in Kerberos 5 allows remote attackers to gain root privileges. Buffer overflow in krshd in Kerberos 5 allows remote attackers to gain root privileges.
nvd
CVE-2003-0028P3HIGHCVSS 7.5v1.2v1.2.1+6 more2003-03-25
CVE-2003-0028 [HIGH] CVE-2003-0028: Integer overflow in the xdrmem_getbytes() function, and possibly other functions, of XDR (external d Integer overflow in the xdrmem_getbytes() function, and possibly other functions, of XDR (external data representation) libraries derived from SunRPC, including libnsl, libc, glibc, and dietlibc, allows remote attackers to execute arbitrary code via certain integer values in length fields, a different vulnerability than CVE-2002-0391.
nvd
CVE-2022-39028P3HIGHCVSS 7.5≤ 1.0.32022-08-30
CVE-2022-39028 [HIGH] CWE-476 CVE-2022-39028: telnetd in GNU Inetutils through 2.3, MIT krb5-appl through 1.0.3, and derivative works has a NULL p telnetd in GNU Inetutils through 2.3, MIT krb5-appl through 1.0.3, and derivative works has a NULL pointer dereference via 0xff 0xf7 or 0xff 0xf8. In a typical installation, the telnetd application would crash but the telnet service would remain available through inetd. However, if the telnetd application has many crashes within a short time interval,
nvd
CVE-2024-37370P3HIGHCVSS 7.5fixed in 1.21.32024-06-28
CVE-2024-37370 [HIGH] CWE-345 CVE-2024-37370: In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can modify the plaintext Extra Count field o In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can modify the plaintext Extra Count field of a confidential GSS krb5 wrap token, causing the unwrapped token to appear truncated to the application.
nvd
CVE-2025-24528P3HIGHCVSS 7.1≥ 1.7, < 1.222026-01-16
CVE-2025-24528 [HIGH] CWE-190 CVE-2025-24528: In MIT Kerberos 5 (aka krb5) before 1.22 (with incremental propagation), there is an integer overflo In MIT Kerberos 5 (aka krb5) before 1.22 (with incremental propagation), there is an integer overflow for a large update size to resize() in kdb_log.c. An authenticated attacker can cause an out-of-bounds write and kadmind daemon crash.
nvd
CVE-2006-6143P3CRITICALCVSS 9.3v1.4v1.4.1+5 more2006-12-31
CVE-2006-6143 [CRITICAL] CWE-824 CVE-2006-6143: The RPC library in Kerberos 5 1.4 through 1.4.4, and 1.5 through 1.5.1, as used in Kerberos administ The RPC library in Kerberos 5 1.4 through 1.4.4, and 1.5 through 1.5.1, as used in Kerberos administration daemon (kadmind) and other products that use this library, calls an uninitialized function pointer in freed memory, which allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unspecified vectors.
nvd
CVE-2007-2443P3HIGHCVSS 8.3≤ 1.6.12007-06-26
CVE-2007-2443 [HIGH] CVE-2007-2443: Integer signedness error in the gssrpc__svcauth_unix function in svc_auth_unix.c in the RPC library Integer signedness error in the gssrpc__svcauth_unix function in svc_auth_unix.c in the RPC library in MIT Kerberos 5 (krb5) 1.6.1 and earlier might allow remote attackers to execute arbitrary code via a negative length value.
nvd
CVE-2009-3295P4MEDIUMCVSS 5.0v1.72009-12-29
CVE-2009-3295 [MEDIUM] CVE-2009-3295: The prep_reprocess_req function in kdc/do_tgs_req.c in the cross-realm referral implementation in th The prep_reprocess_req function in kdc/do_tgs_req.c in the cross-realm referral implementation in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.7 before 1.7.1 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a ticket request.
nvd
CVE-2014-4344P3HIGHCVSS 7.8v1.10v1.10.1+11 more2014-08-14
CVE-2014-4344 [HIGH] CWE-476 CVE-2014-4344: The acc_ctx_cont function in the SPNEGO acceptor in lib/gssapi/spnego/spnego_mech.c in MIT Kerberos The acc_ctx_cont function in the SPNEGO acceptor in lib/gssapi/spnego/spnego_mech.c in MIT Kerberos 5 (aka krb5) 1.5.x through 1.12.x before 1.12.2 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an empty continuation token at a certain point during a SPNEGO negotiation.
nvd
CVE-2004-0772P3CRITICALCVSS 9.8≤ 1.2.82004-10-20
CVE-2004-0772 [CRITICAL] CWE-415 CVE-2004-0772: Double free vulnerabilities in error handling code in krb524d for MIT Kerberos 5 (krb5) 1.2.8 and ea Double free vulnerabilities in error handling code in krb524d for MIT Kerberos 5 (krb5) 1.2.8 and earlier may allow remote attackers to execute arbitrary code.
nvd
CVE-2015-2698P3HIGHCVSS 8.5v1.142015-11-13
CVE-2015-2698 [HIGH] CVE-2015-2698: The iakerb_gss_export_sec_context function in lib/gssapi/krb5/iakerb.c in MIT Kerberos 5 (aka krb5) The iakerb_gss_export_sec_context function in lib/gssapi/krb5/iakerb.c in MIT Kerberos 5 (aka krb5) 1.14 pre-release 2015-09-14 improperly accesses a certain pointer, which allows remote authenticated users to cause a denial of service (memory corruption) or possibly have unspecified other impact by interacting with an application that calls the gss_export_sec_c
nvd
CVE-2015-2694P3MEDIUMCVSS 5.8v1.12v1.12.1+4 more2015-05-25
CVE-2015-2694 [MEDIUM] CWE-264 CVE-2015-2694: The kdcpreauth modules in MIT Kerberos 5 (aka krb5) 1.12.x and 1.13.x before 1.13.2 do not properly The kdcpreauth modules in MIT Kerberos 5 (aka krb5) 1.12.x and 1.13.x before 1.13.2 do not properly track whether a client's request has been validated, which allows remote attackers to bypass an intended preauthentication requirement by providing (1) zero bytes of data or (2) an arbitrary realm name, related to plugins/preauth/otp/main.c and plugins/p
nvd
CVE-2015-8630P3HIGHCVSS 7.5v1.12v1.12.1+9 more2016-02-13
CVE-2015-8630 [HIGH] CVE-2015-8630: The (1) kadm5_create_principal_3 and (2) kadm5_modify_principal functions in lib/kadm5/srv/svr_princ The (1) kadm5_create_principal_3 and (2) kadm5_modify_principal functions in lib/kadm5/srv/svr_principal.c in kadmind in MIT Kerberos 5 (aka krb5) 1.12.x and 1.13.x before 1.13.4 and 1.14.x before 1.14.1 allow remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) by specifying KADM5_POLICY with a NULL policy name.
nvd
CVE-2004-0642P3HIGHCVSS 7.5≤ 1.3.42004-09-28
CVE-2004-0642 [HIGH] CWE-415 CVE-2004-0642: Double free vulnerabilities in the error handling code for ASN.1 decoders in the (1) Key Distributio Double free vulnerabilities in the error handling code for ASN.1 decoders in the (1) Key Distribution Center (KDC) library and (2) client library for MIT Kerberos 5 (krb5) 1.3.4 and earlier may allow remote attackers to execute arbitrary code.
nvd
CVE-2007-5972P4CRITICALCVSS 9.0v1.52007-12-06
CVE-2007-5972 [CRITICAL] CWE-119 CVE-2007-5972: Double free vulnerability in the krb5_def_store_mkey function in lib/kdb/kdb_default.c in MIT Kerber Double free vulnerability in the krb5_def_store_mkey function in lib/kdb/kdb_default.c in MIT Kerberos 5 (krb5) 1.5 has unknown impact and remote authenticated attack vectors. NOTE: the free operations occur in code that stores the krb5kdc master key, and so the attacker must have privileges to store this key.
nvd
CVE-2011-1528P3HIGHCVSS 7.8v1.8v1.8.1+5 more2011-10-20
CVE-2011-1528 [HIGH] CWE-20 CVE-2011-1528: The krb5_ldap_lockout_audit function in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb The krb5_ldap_lockout_audit function in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.8 through 1.8.4 and 1.9 through 1.9.1, when the LDAP back end is used, allows remote attackers to cause a denial of service (assertion failure and daemon exit) via unspecified vectors, related to the locked_check_p function. NOTE: the Berkeley DB vect
nvd
CVE-2010-4020P3MEDIUMCVSS 6.3v1.8v1.8.1+2 more2010-12-02
CVE-2010-4020 [MEDIUM] CWE-310 CVE-2010-4020: MIT Kerberos 5 (aka krb5) 1.8.x through 1.8.3 does not reject RC4 key-derivation checksums, which mi MIT Kerberos 5 (aka krb5) 1.8.x through 1.8.3 does not reject RC4 key-derivation checksums, which might allow remote authenticated users to forge a (1) AD-SIGNEDPATH or (2) AD-KDC-ISSUED signature, and possibly gain privileges, by leveraging the small key space that results from certain one-byte stream-cipher operations.
nvd
CVE-2026-40356P3MEDIUMCVSS 5.9≥ 1.18, < 1.22.32026-04-28
CVE-2026-40356 [MEDIUM] CWE-191 CVE-2026-40356: In MIT Kerberos 5 (aka krb5) before 1.22.3, there is an integer underflow and resultant out-of-bound In MIT Kerberos 5 (aka krb5) before 1.22.3, there is an integer underflow and resultant out-of-bounds read if an application calls gss_accept_sec_context() on a system with a NegoEx mechanism registered in /etc/gss/mech. An unauthenticated remote attacker can trigger this, possibly causing the process to terminate in parse_message.
nvd
CVE-2023-36054P4MEDIUMCVSS 6.5fixed in 1.20.2v1.212023-08-07
CVE-2023-36054 [MEDIUM] CWE-824 CVE-2023-36054: lib/kadm5/kadm_rpc_xdr.c in MIT Kerberos 5 (aka krb5) before 1.20.2 and 1.21.x before 1.21.1 frees a lib/kadm5/kadm_rpc_xdr.c in MIT Kerberos 5 (aka krb5) before 1.20.2 and 1.21.x before 1.21.1 frees an uninitialized pointer. A remote authenticated user can trigger a kadmind crash. This occurs because _xdr_kadm5_principal_ent_rec does not validate the relationship between n_key_data and the key_data array count.
nvd
CVE-2011-1527P4HIGHCVSS 7.8v1.9v1.9.12011-10-20
CVE-2011-1527 [HIGH] CWE-20 CVE-2011-1527: The kdb_ldap plugin in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.9 through 1. The kdb_ldap plugin in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.9 through 1.9.1, when the LDAP back end is used, allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a kinit operation with incorrect string case for the realm, related to the is_principal_in_realm, krb5_set_error_messa
nvd
Mit Kerberos 5 vulnerabilities | cvebase