PatchSiren cyber security CVE debrief
CVE-2026-40356 MIT CVE debrief
CVE-2026-40356 is an integer underflow vulnerability in MIT Kerberos 5, specifically in the gss_accept_sec_context() function when a NegoEx mechanism is registered in /etc/gss/mech. An unauthenticated remote attacker can exploit this, potentially causing the process to terminate. Organizations should review their Kerberos configurations and apply patches to prevent potential process termination via unauthenticated network requests.
- Vendor
- MIT
- Product
- Kerberos 5
- CVSS
- MEDIUM 5.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-04-28
- Original CVE updated
- 2026-07-08
- Advisory published
- 2026-04-28
- Advisory updated
- 2026-07-08
Who should care
Organizations using MIT Kerberos 5 versions prior to 1.22.3 should apply patches to prevent potential process termination via unauthenticated network requests. This vulnerability is particularly concerning for environments where Kerberos is used for authentication and authorization, as it could lead to service disruptions.
Technical summary
The vulnerability exists in the gss_accept_sec_context() function of MIT Kerberos 5 when a NegoEx mechanism is registered in /etc/gss/mech. An integer underflow leads to an out-of-bounds read, which could cause the process to terminate. This issue affects MIT Kerberos 5 versions prior to 1.22.3. The vulnerability is triggered by an unauthenticated remote attacker, making it a significant concern for organizations using affected versions.
Defensive priority
Medium priority due to the unauthenticated remote attack vector and potential for process termination.
Recommended defensive actions
- Apply patches or updates to MIT Kerberos 5 to version 1.22.3 or later.
- Review and update /etc/gss/mech configurations to ensure NegoEx mechanisms are properly managed.
- Monitor for unusual process terminations or network activity related to Kerberos services.
- Consider implementing compensating controls such as network segmentation or access restrictions for Kerberos services.
- Perform a thorough review of affected systems and apply vendor-recommended mitigations.
- Track exceptions and retest remediated assets to ensure the vulnerability is fully resolved.
- Update incident response plans to include procedures for handling potential Kerberos service disruptions.
Evidence notes
The CVE record was published on 2026-04-28T07:16:03.197Z and last modified on 2026-07-08T12:48:10.117Z. The NVD entry is currently Analyzed. Evidence is limited to public sources and may not reflect the full scope or impact of the vulnerability. Defenders should verify affected systems and apply patches or mitigations as recommended by the vendor.
Official resources
-
CVE-2026-40356 CVE record
CVE.org
-
CVE-2026-40356 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Exploit, Third Party Advisory, Patch
-
Mitigation or vendor reference
[email protected] - Patch
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-04-28T07:16:03.197Z and has not been modified since then. The NVD entry is currently Analyzed.