The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • AI Data Pipelines
      Security Data Pipeline for AI SIEM and Data Optimization
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2023-39975

CVE-2023-39975: MIT Kerberos 5 Use-After-Free Vulnerability

CVE-2023-39975 is a use-after-free flaw in MIT Kerberos 5 that allows authenticated users to trigger a double free through authorization-data handling failures. This article covers technical details, affected versions, and mitigation.

Published: February 4, 2026

CVE-2023-39975 Overview

CVE-2023-39975 is a double free vulnerability in the kdc/do_tgs_req.c file of MIT Kerberos 5 (krb5) version 1.21 before 1.21.2. The flaw occurs when an authenticated user triggers an authorization-data handling failure, causing incorrect data to be copied from one ticket to another. This memory corruption issue can be exploited over the network by authenticated attackers to potentially achieve arbitrary code execution or cause denial of service conditions on affected Key Distribution Center (KDC) servers.

Critical Impact

Authenticated attackers can exploit this double free vulnerability to compromise KDC servers, potentially leading to complete authentication infrastructure compromise, arbitrary code execution, or service disruption across the Kerberos realm.

Affected Products

  • MIT Kerberos 5 version 1.21 before 1.21.2

Discovery Timeline

  • 2023-08-16 - CVE CVE-2023-39975 published to NVD
  • 2024-11-21 - Last updated in NVD database

Technical Details for CVE-2023-39975

Vulnerability Analysis

This double free vulnerability (CWE-415) exists in the TGS (Ticket Granting Service) request handling code within the MIT Kerberos 5 KDC. The vulnerability is triggered during ticket validation or renewal operations when authorization-data handling fails. The root issue lies in how the code copies ticket data structures during these operations.

When processing TGS requests with the KDC_OPT_VALIDATE or KDC_OPT_RENEW options, the vulnerable code performs a shallow copy of the entire header ticket structure to the reply ticket. This creates a situation where both the original and copied tickets reference the same memory for certain fields. When authorization-data handling subsequently fails and cleanup occurs, the same memory can be freed twice, leading to heap corruption.

The vulnerability requires the attacker to be authenticated to the Kerberos realm, but once authenticated, exploitation can occur over the network without user interaction. Successful exploitation could allow an attacker to execute arbitrary code in the context of the KDC process or cause the KDC to crash, disrupting authentication services.

Root Cause

The root cause is improper memory management during ticket copying operations in the TGS request handler. The original code copied the entire ticket_reply structure from t->header_tkt, which included pointers to dynamically allocated memory. This shallow copy meant that when the enc_tkt_reply.authorization_data was set to NULL and later the original ticket's authorization data was freed, the copied ticket would still reference (and potentially attempt to free) the same memory location. The fix changes the code to perform a more selective copy, only copying the specific fields needed (server and enc_part2 fields) rather than the entire structure.

Attack Vector

The attack vector is network-based and requires the attacker to have valid authentication credentials within the Kerberos realm. The attacker must:

  1. Authenticate to the Kerberos realm to obtain a valid TGT
  2. Submit a specially crafted TGS request with validation or renewal options
  3. Trigger an authorization-data handling failure condition
  4. The double free occurs during the error handling path
c
     }
 
     if (t->req->kdc_options & (KDC_OPT_VALIDATE | KDC_OPT_RENEW)) {
-        /* Copy the whole header ticket except for authorization data. */
-        ticket_reply = *t->header_tkt;
+        /* Copy the header ticket server and all enc-part fields except for
+         * authorization data. */
+        ticket_reply.server = t->header_tkt->server;
         enc_tkt_reply = *t->header_tkt->enc_part2;
         enc_tkt_reply.authorization_data = NULL;
     } else {

Source: GitHub Commit Update

The fix changes the shallow copy of the entire ticket_reply structure to selective field copying, preventing the aliased memory references that lead to the double free condition.

Detection Methods for CVE-2023-39975

Indicators of Compromise

  • Unexpected KDC process crashes or restarts, particularly during ticket validation or renewal operations
  • Abnormal memory access patterns or heap corruption errors in KDC logs
  • Increased TGS-REQ traffic with validation or renewal flags from suspicious sources
  • Core dumps from krb5kdc process showing double free conditions

Detection Strategies

  • Monitor KDC process stability and implement alerting on unexpected crashes or restarts
  • Enable verbose logging on KDC servers to capture TGS request details and authorization-data handling failures
  • Deploy memory sanitization tools in test environments to detect double free conditions
  • Audit Kerberos ticket request patterns for anomalous validation or renewal activity from authenticated users

Monitoring Recommendations

  • Implement centralized log collection for all KDC servers to correlate crash events
  • Configure process monitoring to alert on krb5kdc process termination or excessive memory usage
  • Review authentication logs for patterns of failed authorization-data handling
  • Deploy SentinelOne agents on KDC hosts to detect exploitation attempts and memory corruption attacks

How to Mitigate CVE-2023-39975

Immediate Actions Required

  • Upgrade MIT Kerberos 5 to version 1.21.2 or later immediately on all KDC servers
  • Review KDC server logs for evidence of exploitation attempts or unexpected crashes
  • Implement network segmentation to limit access to KDC servers from untrusted networks
  • Ensure monitoring and alerting is in place for KDC process health

Patch Information

The vulnerability is fixed in MIT Kerberos 5 version 1.21.2. The security patch is available in commit 88a1701b423c13991a8064feeb26952d3641d840. Organizations should upgrade from any version 1.21 through 1.21.1 to version 1.21.2 or later. The fix modifies the ticket copying logic to avoid shallow copying of the entire ticket structure, instead selectively copying only the required fields.

For detailed patch information, refer to:

  • GitHub Commit Update
  • GitHub Version Comparison
  • MIT Kerberos Advisory

Workarounds

  • If immediate patching is not possible, restrict network access to KDC servers to only trusted hosts
  • Implement additional monitoring on KDC servers to detect and respond to crashes quickly
  • Consider deploying KDC redundancy to maintain authentication services if a server is compromised
  • Audit and minimize the number of authenticated users with access to request ticket validation or renewal
bash
# Verify krb5 version installed
krb5-config --version

# Check if vulnerable version is running
rpm -qa | grep krb5
dpkg -l | grep krb5

# Update on RHEL/CentOS
yum update krb5-server krb5-libs

# Update on Debian/Ubuntu
apt-get update && apt-get upgrade krb5-kdc krb5-admin-server

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeUse After Free
  • Vendor/TechMit Kerberos
  • SeverityHIGH
  • CVSS Score8.8
  • EPSS Probability0.91%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityHigh
  • CWE References
  • CWE-415
  • Technical References
  • NetApp Security Advisory NTAP-20230915-0014
  • NetApp Security Advisory NTAP-20240201-0005
  • NetApp Security Advisory NTAP-20240201-0008
  • Vendor Resources
  • GitHub Commit Update
  • GitHub Version Comparison
  • MIT Kerberos Advisory
  • Related CVEs
  • CVE-2025-24528: MIT Kerberos 5 Privilege Escalation Flaw
  • CVE-2025-3576: MIT Kerberos Auth Bypass Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English