Mit Krb5 vulnerabilities
124 known vulnerabilities affecting mit/krb5.
Total CVEs
124
CISA KEV
0
Public exploits
4
Exploited in wild
2
Severity breakdown
CRITICAL30HIGH32MEDIUM53LOW9
Vulnerabilities
Page 3 of 7
CVE-2024-37370P3HIGHCVSS 7.5≥ 0, < 1.18.3-6+deb11u5≥ 0, < 1.20.1-2+deb12u2+1 more2024-06-28
CVE-2024-37370 [HIGH] CVE-2024-37370: In MIT Kerberos 5 (aka krb5) before 1
In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can modify the plaintext Extra Count field of a confidential GSS krb5 wrap token, causing the unwrapped token to appear truncated to the application.
osv
CVE-2025-24528P3HIGHCVSS 7.1≥ 0, < 1.18.3-6+deb11u6≥ 0, < 1.20.1-2+deb12u3+1 more2026-01-16
CVE-2025-24528 [HIGH] CVE-2025-24528: In MIT Kerberos 5 (aka krb5) before 1
In MIT Kerberos 5 (aka krb5) before 1.22 (with incremental propagation), there is an integer overflow for a large update size to resize() in kdb_log.c. An authenticated attacker can cause an out-of-bounds write and kadmind daemon crash.
osv
CVE-2006-6143P3CRITICALCVSS 9.3≥ 0, < 1.4.4-62006-12-31
CVE-2006-6143 [CRITICAL] CVE-2006-6143: The RPC library in Kerberos 5 1
The RPC library in Kerberos 5 1.4 through 1.4.4, and 1.5 through 1.5.1, as used in Kerberos administration daemon (kadmind) and other products that use this library, calls an uninitialized function pointer in freed memory, which allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unspecified vectors.
osv
CVE-2007-2443P3HIGHCVSS 8.3≥ 0, < 1.6.dfsg.1-52007-06-26
CVE-2007-2443 [HIGH] CVE-2007-2443: Integer signedness error in the gssrpc__svcauth_unix function in svc_auth_unix
Integer signedness error in the gssrpc__svcauth_unix function in svc_auth_unix.c in the RPC library in MIT Kerberos 5 (krb5) 1.6.1 and earlier might allow remote attackers to execute arbitrary code via a negative length value.
osv
CVE-2009-3295P4MEDIUMCVSS 5.0≥ 0, < 1.7+dfsg-42009-12-29
CVE-2009-3295 [MEDIUM] CVE-2009-3295: The prep_reprocess_req function in kdc/do_tgs_req
The prep_reprocess_req function in kdc/do_tgs_req.c in the cross-realm referral implementation in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.7 before 1.7.1 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a ticket request.
osv
CVE-2014-4344P3HIGHCVSS 7.8≥ 0, < 1.12.1+dfsg-52014-08-14
CVE-2014-4344 [HIGH] CVE-2014-4344: The acc_ctx_cont function in the SPNEGO acceptor in lib/gssapi/spnego/spnego_mech
The acc_ctx_cont function in the SPNEGO acceptor in lib/gssapi/spnego/spnego_mech.c in MIT Kerberos 5 (aka krb5) 1.5.x through 1.12.x before 1.12.2 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an empty continuation token at a certain point during a SPNEGO negotiation.
osv
CVE-2004-0772P3CRITICALCVSS 9.8≥ 0, < 1.3.4-32004-10-20
CVE-2004-0772 [CRITICAL] CVE-2004-0772: Double free vulnerabilities in error handling code in krb524d for MIT Kerberos 5 (krb5) 1
Double free vulnerabilities in error handling code in krb524d for MIT Kerberos 5 (krb5) 1.2.8 and earlier may allow remote attackers to execute arbitrary code.
osv
CVE-2015-2694P3MEDIUMCVSS 5.8≥ 0, < 1.12.1+dfsg-202015-05-25
CVE-2015-2694 [MEDIUM] CVE-2015-2694: The kdcpreauth modules in MIT Kerberos 5 (aka krb5) 1
The kdcpreauth modules in MIT Kerberos 5 (aka krb5) 1.12.x and 1.13.x before 1.13.2 do not properly track whether a client's request has been validated, which allows remote attackers to bypass an intended preauthentication requirement by providing (1) zero bytes of data or (2) an arbitrary realm name, related to plugins/preauth/otp/main.c and plugins/preauth/pkinit/pkinit_srv.c.
osv
CVE-2015-8630P3HIGHCVSS 7.5≥ 0, < 1.13.2+dfsg-52016-02-13
CVE-2015-8630 [HIGH] CVE-2015-8630: The (1) kadm5_create_principal_3 and (2) kadm5_modify_principal functions in lib/kadm5/srv/svr_principal
The (1) kadm5_create_principal_3 and (2) kadm5_modify_principal functions in lib/kadm5/srv/svr_principal.c in kadmind in MIT Kerberos 5 (aka krb5) 1.12.x and 1.13.x before 1.13.4 and 1.14.x before 1.14.1 allow remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) by specifying KADM5_POLICY with a NULL policy nam
osv
CVE-2004-0642P3HIGHCVSS 7.5≥ 0, < 1.3.4-32004-09-28
CVE-2004-0642 [HIGH] CVE-2004-0642: Double free vulnerabilities in the error handling code for ASN
Double free vulnerabilities in the error handling code for ASN.1 decoders in the (1) Key Distribution Center (KDC) library and (2) client library for MIT Kerberos 5 (krb5) 1.3.4 and earlier may allow remote attackers to execute arbitrary code.
osv
CVE-2015-2698P3HIGHCVSS 7.1≥ 0, < 1.13.2+dfsg-42015-11-13
CVE-2015-2698 [HIGH] CVE-2015-2698: The iakerb_gss_export_sec_context function in lib/gssapi/krb5/iakerb
The iakerb_gss_export_sec_context function in lib/gssapi/krb5/iakerb.c in MIT Kerberos 5 (aka krb5) 1.14 pre-release 2015-09-14 improperly accesses a certain pointer, which allows remote authenticated users to cause a denial of service (memory corruption) or possibly have unspecified other impact by interacting with an application that calls the gss_export_sec_context function. NOTE: this vul
osv
CVE-2007-5972P4CRITICALCVSS 9.0≥ 0, < 1.6.dfsg.4~beta1-12007-12-06
CVE-2007-5972 [CRITICAL] CVE-2007-5972: Double free vulnerability in the krb5_def_store_mkey function in lib/kdb/kdb_default
Double free vulnerability in the krb5_def_store_mkey function in lib/kdb/kdb_default.c in MIT Kerberos 5 (krb5) 1.5 has unknown impact and remote authenticated attack vectors. NOTE: the free operations occur in code that stores the krb5kdc master key, and so the attacker must have privileges to store this key.
osv
CVE-2011-1528P3HIGHCVSS 7.8≥ 0, < 1.10+dfsg~alpha1-12011-10-20
CVE-2011-1528 [HIGH] CVE-2011-1528: The krb5_ldap_lockout_audit function in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1
The krb5_ldap_lockout_audit function in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.8 through 1.8.4 and 1.9 through 1.9.1, when the LDAP back end is used, allows remote attackers to cause a denial of service (assertion failure and daemon exit) via unspecified vectors, related to the locked_check_p function. NOTE: the Berkeley DB vector
osv
CVE-2010-4020P3MEDIUMCVSS 6.3≥ 0, < 1.8.3+dfsg-32010-12-02
CVE-2010-4020 [MEDIUM] CVE-2010-4020: MIT Kerberos 5 (aka krb5) 1
MIT Kerberos 5 (aka krb5) 1.8.x through 1.8.3 does not reject RC4 key-derivation checksums, which might allow remote authenticated users to forge a (1) AD-SIGNEDPATH or (2) AD-KDC-ISSUED signature, and possibly gain privileges, by leveraging the small key space that results from certain one-byte stream-cipher operations.
osv
CVE-2023-36054P4MEDIUMCVSS 6.5≥ 0, < 1.18.3-6+deb11u4≥ 0, < 1.20.1-2+deb12u1+1 more2023-08-07
CVE-2023-36054 [MEDIUM] CVE-2023-36054: lib/kadm5/kadm_rpc_xdr
lib/kadm5/kadm_rpc_xdr.c in MIT Kerberos 5 (aka krb5) before 1.20.2 and 1.21.x before 1.21.1 frees an uninitialized pointer. A remote authenticated user can trigger a kadmind crash. This occurs because _xdr_kadm5_principal_ent_rec does not validate the relationship between n_key_data and the key_data array count.
osv
CVE-2011-1527P4HIGHCVSS 7.8≥ 0, < 1.10+dfsg~alpha1-12011-10-20
CVE-2011-1527 [HIGH] CVE-2011-1527: The kdb_ldap plugin in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1
The kdb_ldap plugin in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.9 through 1.9.1, when the LDAP back end is used, allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a kinit operation with incorrect string case for the realm, related to the is_principal_in_realm, krb5_set_error_message, krb5_ldap_get_pr
osv
CVE-2011-4151P4HIGHCVSS 7.8≥ 0, < 1.10+dfsg~alpha1-12011-10-20
CVE-2011-4151 [HIGH] CVE-2011-4151: The krb5_db2_lockout_audit function in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1
The krb5_db2_lockout_audit function in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.8 through 1.8.4, when the db2 (aka Berkeley DB) back end is used, allows remote attackers to cause a denial of service (assertion failure and daemon exit) via unspecified vectors, a different vulnerability than CVE-2011-1528.
osv
CVE-2010-1322P4MEDIUMCVSS 6.5≥ 0, < 1.8.3+dfsg-22010-10-07
CVE-2010-1322 [MEDIUM] CVE-2010-1322: The merge_authdata function in kdc_authdata
The merge_authdata function in kdc_authdata.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.8.x before 1.8.4 does not properly manage an index into an authorization-data list, which allows remote attackers to cause a denial of service (daemon crash), or possibly obtain sensitive information, spoof authorization, or execute arbitrary code, via a TGS request that triggers an uninitialized pointe
osv
CVE-2014-9422P4MEDIUMCVSS 6.1≥ 0, < 1.12.1+dfsg-172015-02-19
CVE-2014-9422 [MEDIUM] CVE-2014-9422: The check_rpcsec_auth function in kadmin/server/kadm_rpc_svc
The check_rpcsec_auth function in kadmin/server/kadm_rpc_svc.c in kadmind in MIT Kerberos 5 (aka krb5) through 1.11.5, 1.12.x through 1.12.2, and 1.13.x before 1.13.1 allows remote authenticated users to bypass a kadmin/* authorization check and obtain administrative access by leveraging access to a two-component principal with an initial "kadmind" substring, as demonstrated by a "ka/x" principal.
osv
CVE-2011-1529P4HIGHCVSS 7.8≥ 0, < 1.10+dfsg~alpha1-12011-10-20
CVE-2011-1529 [HIGH] CVE-2011-1529: The lookup_lockout_policy function in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1
The lookup_lockout_policy function in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.8 through 1.8.4 and 1.9 through 1.9.1, when the db2 (aka Berkeley DB) or LDAP back end is used, allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via vectors that trigger certain process_as_req errors.
osv