Medium severity5.9NVD Advisory· Published Apr 28, 2026· Updated Apr 28, 2026
CVE-2026-40355
CVE-2026-40355
Description
In MIT Kerberos 5 (aka krb5) before 1.22.3, there is a NULL pointer dereference if an application calls gss_accept_sec_context() on a system with a NegoEx mechanism registered in /etc/gss/mech. An unauthenticated remote attacker can trigger this, causing the process to terminate in parse_nego_message.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
13- Range: <1.22.3
- osv-coords11 versionspkg:rpm/almalinux/krb5-develpkg:rpm/almalinux/krb5-libspkg:rpm/almalinux/krb5-pkinitpkg:rpm/almalinux/krb5-serverpkg:rpm/almalinux/krb5-server-ldappkg:rpm/almalinux/krb5-workstationpkg:rpm/almalinux/krb5-xrealmauthzpkg:rpm/almalinux/libkadm5pkg:rpm/opensuse/krb5&distro=openSUSE%20Tumbleweedpkg:rpm/suse/krb5&distro=SUSE%20Linux%20Enterprise%20Micro%205.3pkg:rpm/suse/krb5&distro=SUSE%20Linux%20Enterprise%20Micro%205.4
< 1.18.2-34.el8_10+ 10 more
- (no CPE)range: < 1.18.2-34.el8_10
- (no CPE)range: < 1.18.2-34.el8_10
- (no CPE)range: < 1.18.2-34.el8_10
- (no CPE)range: < 1.18.2-34.el8_10
- (no CPE)range: < 1.18.2-34.el8_10
- (no CPE)range: < 1.18.2-34.el8_10
- (no CPE)range: < 1.21.3-10.el10_2
- (no CPE)range: < 1.18.2-34.el8_10
- (no CPE)range: < 1.22.2-3.1
- (no CPE)range: < 1.19.2-150400.3.21.1
- (no CPE)range: < 1.19.2-150400.3.21.1
Patches
Vulnerability mechanics
References
3News mentions
0No linked articles in our index yet.