Mike Roszkowski

**Name of the Vulnerable Software and Affected Versions** mit-krb5 versions prior to 1.9.2-r1 MIT Kerberos 5 versions 1.8.x before 1.8.4 **Description** The issue affects the Key Distribution Center (KDC) in MIT Kerberos 5, where the `merge authdata` function in `kdc authdata.c` does not properly manage an index into an authorization-data list. This can be exploited remotely, potentially leading to a denial of service (daemon crash), or possibly obtaining sensitive information, spoofing authorization, or executing arbitrary code. The exploitation can be triggered by a TGS request that causes an uninitialized pointer dereference. **Recommendations** For mit-krb5 versions prior to 1.9.2-r1, update to version 1.9.2-r1 or later. For MIT Kerberos 5 versions 1.8.x before 1.8.4, update to version 1.8.4 or later. As a temporary workaround, consider restricting access to the KDC to minimize the risk of exploitation.