CVE-2026-40355

CVSS v3.1

5.9

Medium

AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

In MIT Kerberos 5 (aka krb5) before 1.22.3, there is a NULL pointer dereference if an application calls gss accept sec context() on a system with a NegoEx mechanism registered in /etc/gss/mech. An unauthenticated remote attacker can trigger this, causing the process to terminate in parse nego message.

Fix

NULL Pointer Dereference

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-476

Related Identifiers

CVE-2026-40355

Affected Products

Kerberos 5

CVE-2026-40355

Weakness Enumeration

Related Identifiers

Affected Products

References · 4