PatchSiren cyber security CVE debrief
CVE-2026-11850 Red Hat CVE debrief
CVE-2026-11850 is an integer underflow vulnerability in the MIT krb5 implementation, specifically in the `berval2tl_data()` function located in `plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c`. The function performs an unsigned subtraction (`bv_len - 2`) without a prior bounds check. When `bv_len` is 0 or 1, the subtraction wraps to a large value, which is then truncated to `uint16_t`, yielding 0xFFFE (65534) or 0xFFFF (65535). This results in a subsequent `malloc` call succeeding and `memcpy` reading up to 65534 bytes from a 0-1 byte buffer, leading to a heap out-of-bounds read. The attack vector involves a malicious or compromised LDAP KDB backend returning a `krbExtraData` attribute with `bv_len < 2`, triggering the underflow when the KDC or `kadmind` reads principal data.
- Vendor
- Red Hat
- Product
- Red Hat Hardened Images
- CVSS
- MEDIUM 5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-11
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-11
- Advisory updated
- 2026-06-12
Who should care
Users of MIT krb5, particularly those with LDAP KDB backends, should be aware of this vulnerability. Red Hat has published errata and security advisories related to this issue [ref-4], [ref-5], [ref-6].
Technical summary
The vulnerability is caused by an integer underflow in the `berval2tl_data()` function. This function is part of the MIT krb5 implementation and is used to process principal data. The issue arises from an unsigned subtraction operation that is not properly bounded, leading to a potential heap out-of-bounds read.
Defensive priority
MEDIUM
Recommended defensive actions
- Apply patches or updates provided by your vendor, such as those detailed in Red Hat's security advisories [ref-4], [ref-5].
- Review and update configurations for LDAP KDB backends to prevent malicious or compromised backends from triggering the underflow.
- Monitor for and respond to potential exploitation attempts.
Evidence notes
The CVE record [cve-org] and NVD detail [nvd] provide official information about this vulnerability. Additional references include Red Hat errata [ref-4] and security advisories [ref-5], as well as a bug report [ref-6].
Official resources
CVE-2026-11850 was published on 2026-06-11T10:16:21.217Z and modified on 2026-06-12T15:16:24.737Z.