Integer Underflow Vulnerability in MIT Kerberos 5 by MIT
CVE-2026-40356

5.9MEDIUM

Key Information:

Vendor: Mit
Status: Kerberos 5
Vendor: CVE Published:; 28 April 2026

What is CVE-2026-40356?

In versions prior to 1.22.3 of MIT Kerberos 5, an integer underflow vulnerability exists that may lead to an out-of-bounds read when gss_accept_sec_context() is invoked on a system with a registered NegoEx mechanism in /etc/gss/mech. This could allow an unauthenticated remote attacker to exploit the flaw, potentially causing the affected application process to crash during message parsing.

Affected Version(s)

Kerberos 5 1.18 < 1.22.3

References

https://web.mit.edu/kerberos/advisories/

https://cems.fun/2026/04/27/krb5-two-unauthenticated-netw...

https://github.com/krb5/krb5/commit/2e75f0d9362fb979f5fc9...

CVSS V3.1

Score:

5.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 28, 2026
Vulnerability Reserved
Apr 11, 2026

CVE-2026-40356 Data

JSON

Mit

What is CVE-2026-40356?

Affected Version(s)

References

CVSS V3.1

Timeline