CVE-2026-11850
Description
An integer underflow in MIT krb5's berval2tl_data() can cause a heap out-of-bounds read when the KDC processes malformed LDAP principal data.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An integer underflow in MIT krb5's berval2tl_data() can cause a heap out-of-bounds read when the KDC processes malformed LDAP principal data.
Vulnerability
The vulnerability resides in the berval2tl_data() function in plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c. The function performs an unsigned subtraction bv_len - 2 without a prior bounds check. If bv_len is 0 or 1, the subtraction wraps to a large value (0xFFFE or 0xFFFF after truncation to uint16_t). This results in malloc succeeding and memcpy reading up to 65534 bytes from a 0-1 byte buffer, causing a heap out-of-bounds read. The issue affects MIT krb5 versions prior to the commit at 2a5fd83 [1][2].
Exploitation
An attacker must have control over a malicious or compromised LDAP KDB backend that can return a krbExtraData attribute with bv_len less than 2. This triggers the underflow when the KDC or kadmind reads principal data. No special network position is required beyond the ability to inject the malformed attribute into the LDAP backend [1][2].
Impact
Successful exploitation can lead to a heap out-of-bounds read, potentially leaking sensitive information from the KDC's memory. This could include Kerberos credentials or other secrets, compromising the confidentiality of the system. The read is bounded by the large wrapped length, and while crash is possible, the primary impact is information disclosure [1][2].
Mitigation
The upstream fix is available in commit 2a5fd83 [2]. Red Hat has not yet released an advisory for this CVE as of the publication date [1]. Users should apply the patch from the MIT krb5 repository or update to a fixed version once released. There are no known workarounds other than restricting access to the LDAP KDB backend to trusted sources [1][2].
AI Insight generated on Jun 11, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
12a5fd83Prevent read overrun in libkdb_ldap
1 file changed · +3 −0
src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c+3 −0 modified@@ -80,6 +80,9 @@ getstringtime(krb5_timestamp); krb5_error_code berval2tl_data(struct berval *in, krb5_tl_data **out) { + if (in->bv_len < 2) + return EINVAL; + *out = (krb5_tl_data *) malloc (sizeof (krb5_tl_data)); if (*out == NULL) return ENOMEM;
Vulnerability mechanics
Root cause
"Missing bounds check before unsigned subtraction in berval2tl_data() allows integer underflow when bv_len is 0 or 1."
Attack vector
An attacker who controls or compromises the LDAP KDB backend can return a `krbExtraData` attribute with `bv_len < 2`. When the KDC or kadmind reads this principal data, `berval2tl_data()` triggers the integer underflow, causing a heap out-of-bounds read of up to 65534 bytes. The attacker must have elevated privileges (e.g., LDAP server control) to inject the malformed attribute [ref_id=1].
Affected code
The vulnerability resides in `berval2tl_data()` in `plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c`. The function performs an unsigned subtraction `bv_len - 2` without a prior bounds check, leading to an integer underflow when `bv_len` is 0 or 1.
What the fix does
The patch adds an early bounds check: `if (in->bv_len < 2) return EINVAL;`. This rejects any input with length less than 2 before the subtraction `bv_len - 2` is performed, preventing the unsigned integer underflow and subsequent heap over-read [patch_id=5590531].
Preconditions
- authAttacker must control or compromise the LDAP KDB backend to return a krbExtraData attribute with bv_len < 2.
- networkThe KDC or kadmind must read principal data from the compromised LDAP backend.
Generated on Jun 11, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.