CVE-2026-40355 Overview
A NULL pointer dereference vulnerability exists in MIT Kerberos 5 (krb5) before version 1.22.3. The flaw occurs when an application calls gss_accept_sec_context() on a system with a NegoEx mechanism registered in /etc/gss/mech. An unauthenticated remote attacker can exploit this vulnerability to trigger a NULL pointer dereference in the parse_nego_message function, causing the process to terminate unexpectedly and resulting in a denial of service condition.
Critical Impact
Unauthenticated remote attackers can crash applications using Kerberos authentication by sending specially crafted NegoEx messages, potentially disrupting critical authentication services.
Affected Products
- MIT Kerberos 5 (krb5) versions prior to 1.22.3
- Systems with NegoEx mechanism registered in /etc/gss/mech
- Applications utilizing gss_accept_sec_context() API
Discovery Timeline
- April 28, 2026 - CVE-2026-40355 published to NVD
- April 28, 2026 - Last updated in NVD database
Technical Details for CVE-2026-40355
Vulnerability Analysis
This vulnerability is classified as CWE-476 (NULL Pointer Dereference). The flaw resides within the NegoEx message parsing functionality in the SPNEGO GSS-API implementation. When processing NegoEx protocol messages, the parse_nego_message function fails to properly validate the return value from the vector_base() function before attempting to use the returned pointer in subsequent operations.
The vulnerability can be triggered remotely over the network without requiring any authentication. An attacker can send a malformed NegoEx message with invalid size parameters that cause vector_base() to return NULL. The code then attempts to iterate over extensions using this NULL pointer, leading to process termination when the dereference occurs.
Root Cause
The root cause is inadequate input validation in the NegoEx parsing code within src/lib/gssapi/spnego/negoex_util.c. Specifically, the code retrieves offset and count values from the input message and passes them to vector_base(), but fails to check whether the function returns a valid pointer before proceeding to use it in a loop that accesses extension data. This missing NULL check allows an attacker to craft a message with invalid offset or count values that result in a NULL return, which is subsequently dereferenced.
Attack Vector
The attack can be conducted remotely over the network by any unauthenticated attacker. The attacker sends a specially crafted NegoEx negotiation message to a service that uses the Kerberos GSS-API for authentication. The malicious message contains invalid size parameters (offset and count values) that cause the vector_base() function to fail and return NULL. When the vulnerable code attempts to process extensions using this NULL pointer, the application crashes.
offset = k5_input_get_uint32_le(in);
count = k5_input_get_uint16_le(in);
p = vector_base(offset, count, EXTENSION_LENGTH, msg_base, msg_len);
+ if (p == NULL) {
+ *minor = ERR_NEGOEX_INVALID_MESSAGE_SIZE;
+ return GSS_S_DEFECTIVE_TOKEN;
+ }
for (i = 0; i < count; i++) {
extension_type = load_32_le(p + i * EXTENSION_LENGTH);
if (extension_type & EXTENSION_FLAG_CRITICAL) {
Source: GitHub KRB5 Commit Change
Detection Methods for CVE-2026-40355
Indicators of Compromise
- Unexpected crashes or terminations of Kerberos-enabled services such as sshd, httpd, or custom applications using GSS-API
- Core dumps or crash logs showing segmentation faults in parse_nego_message or negoex_util.c
- Abnormal patterns of failed authentication attempts immediately followed by service restarts
Detection Strategies
- Monitor system logs for segmentation fault signals (SIGSEGV) in processes using Kerberos authentication
- Implement network-based detection rules for malformed NegoEx message patterns with invalid offset or count fields
- Configure application crash monitoring to alert on repeated failures of GSS-API-enabled services
Monitoring Recommendations
- Enable verbose logging for Kerberos and GSS-API operations to capture authentication attempt details
- Deploy intrusion detection system (IDS) signatures for NegoEx protocol anomalies
- Monitor service availability metrics for applications dependent on Kerberos authentication
How to Mitigate CVE-2026-40355
Immediate Actions Required
- Upgrade MIT Kerberos 5 to version 1.22.3 or later which contains the security fix
- Review and audit systems for NegoEx mechanism registration in /etc/gss/mech
- If patching is not immediately possible, consider temporarily disabling NegoEx if not required for operations
Patch Information
The MIT Kerberos development team has addressed this vulnerability in version 1.22.3. The patch adds proper NULL pointer validation after the vector_base() call to ensure invalid messages are rejected before any dereference occurs. The fix returns GSS_S_DEFECTIVE_TOKEN with an appropriate minor status code when an invalid message is detected. Security patches and updates are available through the MIT Kerberos Security Advisory page.
Workarounds
- If upgrading is not immediately possible, consider removing NegoEx mechanism entries from /etc/gss/mech if they are not required
- Implement network-level filtering to block potentially malicious NegoEx messages at perimeter firewalls
- Deploy service restarts with automatic recovery to minimize downtime impact from potential exploitation
# Check for NegoEx mechanism registration
cat /etc/gss/mech | grep -i negoex
# Verify krb5 version
krb5-config --version
# After patching, verify the new version is installed
rpm -qa | grep krb5 # For RPM-based systems
dpkg -l | grep krb5 # For Debian-based systems
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
