PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-40356 MIT CVE debrief

CVE-2026-40356 is an integer underflow vulnerability in MIT Kerberos 5, specifically in the gss_accept_sec_context() function when a NegoEx mechanism is registered in /etc/gss/mech. An unauthenticated remote attacker can exploit this, potentially causing the process to terminate. Organizations should review their Kerberos configurations and apply patches to prevent potential process termination via unauthenticated network requests.

Vendor
MIT
Product
Kerberos 5
CVSS
MEDIUM 5.9
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-28
Original CVE updated
2026-07-08
Advisory published
2026-04-28
Advisory updated
2026-07-08

Who should care

Organizations using MIT Kerberos 5 versions prior to 1.22.3 should apply patches to prevent potential process termination via unauthenticated network requests. This vulnerability is particularly concerning for environments where Kerberos is used for authentication and authorization, as it could lead to service disruptions.

Technical summary

The vulnerability exists in the gss_accept_sec_context() function of MIT Kerberos 5 when a NegoEx mechanism is registered in /etc/gss/mech. An integer underflow leads to an out-of-bounds read, which could cause the process to terminate. This issue affects MIT Kerberos 5 versions prior to 1.22.3. The vulnerability is triggered by an unauthenticated remote attacker, making it a significant concern for organizations using affected versions.

Defensive priority

Medium priority due to the unauthenticated remote attack vector and potential for process termination.

Recommended defensive actions

  • Apply patches or updates to MIT Kerberos 5 to version 1.22.3 or later.
  • Review and update /etc/gss/mech configurations to ensure NegoEx mechanisms are properly managed.
  • Monitor for unusual process terminations or network activity related to Kerberos services.
  • Consider implementing compensating controls such as network segmentation or access restrictions for Kerberos services.
  • Perform a thorough review of affected systems and apply vendor-recommended mitigations.
  • Track exceptions and retest remediated assets to ensure the vulnerability is fully resolved.
  • Update incident response plans to include procedures for handling potential Kerberos service disruptions.

Evidence notes

The CVE record was published on 2026-04-28T07:16:03.197Z and last modified on 2026-07-08T12:48:10.117Z. The NVD entry is currently Analyzed. Evidence is limited to public sources and may not reflect the full scope or impact of the vulnerability. Defenders should verify affected systems and apply patches or mitigations as recommended by the vendor.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-04-28T07:16:03.197Z and has not been modified since then. The NVD entry is currently Analyzed.