CVE-2026-11850 Overview
CVE-2026-11850 is an integer underflow vulnerability [CWE-191] in MIT Kerberos 5 (krb5) affecting the berval2tl_data() function in plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c. The function performs an unsigned subtraction bv_len - 2 without validating that bv_len is at least 2. When bv_len is 0 or 1, the value wraps to a large number, which is then truncated to a uint16_t, producing 65534 or 65535. A subsequent memcpy reads up to 65534 bytes from a 1-byte source buffer, causing a heap out-of-bounds read in the KDC or kadmind processes.
Critical Impact
A malicious or compromised Lightweight Directory Access Protocol (LDAP) Kerberos Database (KDB) backend can return a crafted krbExtraData attribute to trigger heap memory disclosure and process crashes in krb5kdc or kadmind.
Affected Products
- MIT Kerberos 5 (krb5) with LDAP KDB backend enabled
- Distributions packaging krb5 with the libkdb_ldap plugin (per Red Hat advisory)
- KDC and kadmind services reading principal data from LDAP
Discovery Timeline
- 2026-06-11 - CVE CVE-2026-11850 published to NVD
- 2026-06-11 - Last updated in NVD database
Technical Details for CVE-2026-11850
Vulnerability Analysis
The defect resides in berval2tl_data() within the LDAP KDB plugin. The function converts a BerVal-encoded LDAP attribute into a krb5_tl_data structure. It computes the length of the tagged data payload by subtracting 2 from bv_len, the BerVal length field, without first verifying that bv_len >= 2. Because bv_len is unsigned, values of 0 or 1 wrap around modulo 2^n. The result is then assigned to a uint16_t, producing 0xFFFE (65534) or 0xFFFF (65535).
The code then calls malloc for that small underflowed length and uses memcpy to copy up to 65534 bytes from a buffer that contains only 0 or 1 byte. The read advances past the bounds of the source heap allocation, exposing adjacent heap memory and potentially crashing the process. Confidentiality impact is rated low and availability impact high, reflecting limited leakage but reliable service disruption.
Root Cause
The root cause is a missing lower-bound check on an externally supplied length field before unsigned arithmetic. The fix requires validating bv_len >= 2 prior to the subtraction. This is a classic [CWE-191] integer underflow that escalates into an out-of-bounds read because the result governs a memcpy length.
Attack Vector
Exploitation requires that the KDC or kadmind be configured to read principal data from an LDAP backend the attacker can influence. An adversary with high privileges on the directory, or one who has compromised the LDAP server, returns a krbExtraData attribute with bv_len < 2. When the Kerberos daemon parses the principal, berval2tl_data() underflows and triggers the heap out-of-bounds read. Attack complexity is high because the attacker must control the LDAP response delivered to the KDC.
No verified public proof-of-concept code is available. See the Red Hat CVE-2026-11850 Advisory and the Red Hat Bug #2459970 Report for vendor analysis.
Detection Methods for CVE-2026-11850
Indicators of Compromise
- Unexpected crashes or SIGSEGV signals in krb5kdc or kadmind processes with stack traces referencing berval2tl_data or ldap_principal2.
- LDAP audit log entries showing krbExtraData attribute writes containing zero-length or single-byte BerVal values.
- Heap corruption indicators reported by AddressSanitizer or libc heap checks in Kerberos daemon logs.
Detection Strategies
- Inspect LDAP directory entries for krbprincipal objects with krbExtraData values shorter than 2 bytes.
- Enable verbose Kerberos KDC logging and alert on parse errors or abnormal terminations during principal lookups.
- Correlate LDAP write operations from non-administrative accounts with subsequent KDC service restarts.
Monitoring Recommendations
- Monitor systemd or init logs for repeated restarts of krb5kdc.service and kadmin.service.
- Track LDAP bind sources that modify Kerberos principal entries and alert on unexpected origins.
- Collect core dumps from Kerberos daemons and review for heap read faults in the LDAP KDB plugin.
How to Mitigate CVE-2026-11850
Immediate Actions Required
- Apply vendor patches for MIT krb5 as soon as packages are published by your distribution.
- Restrict write access to Kerberos principal entries in LDAP to a minimal set of administrative accounts.
- Enforce mutual TLS between the KDC and the LDAP backend to prevent injection of malicious BerVal data by a man-in-the-middle.
Patch Information
Refer to the Red Hat CVE-2026-11850 Advisory for affected packages and fixed versions. The upstream MIT krb5 fix adds a bounds check requiring bv_len >= 2 in berval2tl_data() before the subtraction. Rebuild or reinstall the libkdb_ldap plugin from a patched source tree where vendor builds are not yet available.
Workarounds
- Switch the KDC database backend from LDAP to the local DB2 backend where operationally feasible until patches are applied.
- Harden LDAP access control lists so that only the KDC service account and trusted administrators can write krbExtraData.
- Deploy intrusion detection on the LDAP server to flag writes producing zero or one-byte values on Kerberos attributes.
# Example LDAP ACL hardening (OpenLDAP slapd.conf style)
access to attrs=krbExtraData,krbPrincipalKey
by dn.exact="cn=kdc-service,ou=services,dc=example,dc=com" read
by dn.exact="cn=krbadmin,ou=admins,dc=example,dc=com" write
by * none
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
