CVE-2026-40356 Overview
CVE-2026-40356 is an integer underflow vulnerability in MIT Kerberos 5 (krb5) before version 1.22.3 that results in an out-of-bounds read condition. The vulnerability exists in the NegoEx mechanism parsing functionality and can be triggered when an application calls gss_accept_sec_context() on a system with a NegoEx mechanism registered in /etc/gss/mech. An unauthenticated remote attacker can exploit this vulnerability over the network, potentially causing the target process to terminate in the parse_message function.
Critical Impact
Remote unauthenticated attackers can trigger a denial of service condition by exploiting the integer underflow in NegoEx message parsing, causing Kerberos-dependent services to crash.
Affected Products
- MIT Kerberos 5 (krb5) versions prior to 1.22.3
- Systems with NegoEx mechanism registered in /etc/gss/mech
- Applications using gss_accept_sec_context() API
Discovery Timeline
- 2026-04-28 - CVE-2026-40356 published to NVD
- 2026-04-28 - Last updated in NVD database
Technical Details for CVE-2026-40356
Vulnerability Analysis
This vulnerability is classified as CWE-191 (Integer Underflow). The flaw resides in the NegoEx utility code within the SPNEGO implementation of the GSS-API. When parsing NegoEx messages, the code fails to properly validate message size boundaries before performing arithmetic operations, leading to an integer underflow condition.
The vulnerable code path is triggered during the processing of extension vectors in NegoEx protocol messages. When the vector_base() function is called with offset, count, and length parameters derived from attacker-controlled input, insufficient validation allows for scenarios where the calculated memory access falls outside the intended buffer boundaries.
The attack requires network access and targets systems configured with NegoEx mechanism support. While the attack complexity is considered high due to the specific configuration requirements, successful exploitation requires no authentication or user interaction, making it a viable target for remote denial of service attacks against Kerberos infrastructure.
Root Cause
The root cause is insufficient bounds checking in the NegoEx message parsing logic within src/lib/gssapi/spnego/negoex_util.c. The code retrieves offset and count values from incoming messages and uses them to calculate memory addresses without first verifying that the resulting pointer is valid. When the vector_base() function returns a NULL pointer (indicating an invalid calculation), the code proceeds to access memory at that location, resulting in an out-of-bounds read that can crash the process.
Attack Vector
The attack vector is network-based and does not require authentication. An attacker can craft a malicious NegoEx protocol message with specially chosen offset and count values that trigger the integer underflow condition. When this message is processed by a Kerberos-enabled service calling gss_accept_sec_context(), the vulnerable parsing code attempts to read from an invalid memory location, causing the parse_message function to crash.
offset = k5_input_get_uint32_le(in);
count = k5_input_get_uint16_le(in);
p = vector_base(offset, count, EXTENSION_LENGTH, msg_base, msg_len);
+ if (p == NULL) {
+ *minor = ERR_NEGOEX_INVALID_MESSAGE_SIZE;
+ return GSS_S_DEFECTIVE_TOKEN;
+ }
for (i = 0; i < count; i++) {
extension_type = load_32_le(p + i * EXTENSION_LENGTH);
if (extension_type & EXTENSION_FLAG_CRITICAL) {
Source: GitHub krb5 Commit
Detection Methods for CVE-2026-40356
Indicators of Compromise
- Unexpected crashes of Kerberos-related services (KDC, kadmind, or applications using GSS-API)
- Process termination events in parse_message or related NegoEx parsing functions
- Anomalous network traffic targeting Kerberos ports (TCP/UDP 88, 749) with malformed NegoEx messages
- Core dumps from krb5-enabled applications showing crashes in negoex_util.c code paths
Detection Strategies
- Monitor system logs for repeated crashes of Kerberos authentication services
- Implement network intrusion detection rules to identify malformed NegoEx protocol messages
- Deploy application crash monitoring to detect patterns indicative of exploitation attempts
- Audit systems for the presence of NegoEx mechanism configuration in /etc/gss/mech
Monitoring Recommendations
- Enable verbose logging for GSS-API operations to capture authentication failures and parsing errors
- Configure crash dump collection for Kerberos services to facilitate forensic analysis
- Implement alerting on service restart patterns that may indicate ongoing exploitation
- Monitor network connections to Kerberos services for unusual traffic patterns or source addresses
How to Mitigate CVE-2026-40356
Immediate Actions Required
- Upgrade MIT Kerberos 5 to version 1.22.3 or later which includes the security fix
- Review systems for NegoEx mechanism configuration in /etc/gss/mech and disable if not required
- Apply vendor-provided security patches for any operating system packages containing krb5
- Implement network segmentation to limit exposure of Kerberos services to untrusted networks
Patch Information
MIT Kerberos has released a fix in version 1.22.3. The patch adds proper NULL pointer validation after the vector_base() function call, ensuring that invalid message sizes result in a controlled error return (GSS_S_DEFECTIVE_TOKEN) rather than an out-of-bounds memory access. The fix is available in commit 2e75f0d9362fb979f5fc92829431a590a130929f.
For detailed patch information, see the MIT Kerberos Advisory page. Additional technical analysis is available in the CEMS Vulnerabilities Analysis.
Workarounds
- Remove or comment out NegoEx mechanism entries from /etc/gss/mech if the mechanism is not required for your environment
- Restrict network access to Kerberos services using firewall rules to limit exposure to trusted clients only
- Deploy intrusion prevention systems (IPS) to filter malformed Kerberos/NegoEx traffic at the network perimeter
# Configuration example
# Disable NegoEx mechanism by commenting out or removing the entry in /etc/gss/mech
# Backup the original configuration
sudo cp /etc/gss/mech /etc/gss/mech.bak
# Comment out NegoEx mechanism entries (if present)
sudo sed -i 's/^negoex/#negoex/' /etc/gss/mech
# Restrict Kerberos service access via firewall (example using iptables)
sudo iptables -A INPUT -p tcp --dport 88 -s 10.0.0.0/8 -j ACCEPT
sudo iptables -A INPUT -p udp --dport 88 -s 10.0.0.0/8 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 88 -j DROP
sudo iptables -A INPUT -p udp --dport 88 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
