Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAF_a9jNXwe=T=wHnz1iDG6+xhMxD+aZa0F-Xv+dU2OTh7R8ryA@mail.gmail.com>
Date: Mon, 27 Apr 2026 22:56:12 +0200
From: Cem Onat Karagun <cemkaragun@...il.com>
To: oss-security@...ts.openwall.com
Subject: CVE-2026-40355, CVE-2026-40356: MIT krb5 1.18+ Unauthenticated
 Network read overrun and null pointer dereference

Hi,

just a quick note that MIT krb5 has fixed two unauthenticated network
NegoEx parsing vulnerabilities.

Affected versions:

MIT krb5 1.18 and later, when an application calls
gss_accept_sec_context() on a system with a NegoEx mechanism registered
in /etc/gss/mech

Description:

CVE-2026-40355 is a null pointer dereference in parse_nego_message().
The result of the second vector_base() call was not checked before being
dereferenced. An unauthenticated remote attacker can trigger this issue
and crash the process.

CVE-2026-40356 is a read overrun of up to 52 bytes in parse_message().
A short header_len could cause an integer underflow while calculating the
remaining message length. An unauthenticated remote attacker can trigger
this issue and possibly crash the proces.
Exfiltration of the bytes read appears unlikely.

MIT krb5 security confirmed the following CVSS v3.1 vectors:

CVE-2026-40355:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Base score: 7.5

CVE-2026-40356:
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Base score: 5.9

Users are recommended to apply the upstream patch or update to a version
containing the fix.

Credit:
Cem Onat Karagun

References:
https://github.com/krb5/krb5/commit/2e75f0d9362fb979f5fc92829431a590a130929f
https://cems.fun/2026/04/27/krb5-two-unauthenticated-network-vulnerabilities.html
https://www.youtube.com/watch?v=zpBrriAJxCQ

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.