Executive Summary

CVE-2026-40355 is a null pointer dereference vulnerability in the MIT Kerberos 5 (krb5) authentication software. It occurs specifically in the function parse_nego_message() when the second call to vector_base() returns NULL but this is not checked before dereferencing. This flaw can be triggered when an application calls gss_accept_sec_context() on a system with a NegoEx mechanism registered in /etc/gss/mech.

An unauthenticated remote attacker can exploit this vulnerability to cause the process to terminate (crash) due to the null pointer dereference.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an unauthenticated remote attacker to cause a denial-of-service (DoS) by crashing the process that calls gss_accept_sec_context(). Since the process terminates unexpectedly, it can disrupt authentication services relying on MIT Kerberos, potentially affecting system availability.

Although the service may be supervised to restart after crashes, repeated exploitation could lead to service instability or downtime.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability causes the process running MIT Kerberos 5 to terminate unexpectedly when an unauthenticated remote attacker triggers a null pointer dereference in the function parse_nego_message(). Detection can involve monitoring for unexpected crashes or restarts of services using krb5, especially those invoking gss_accept_sec_context() with the NegoEx mechanism.

A proof-of-concept demonstration used a Dockerized krb5 environment compiled with AddressSanitizer (ASan) to detect memory-safety failures remotely.

While no specific commands are provided in the resources, general detection steps include:

• Monitoring system logs and service logs for crashes or restarts of krb5-related processes.
• Using AddressSanitizer or similar memory error detection tools when running krb5 in a test environment to detect null pointer dereferences.
• Checking for the presence of the NegoEx mechanism registered in /etc/gss/mech, as the vulnerability is triggered only if this mechanism is present.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to apply the upstream patch that fixes this vulnerability or update to a fixed version of MIT Kerberos 5 (krb5) at or after version 1.22.3.

The fix involves adding checks to prevent null pointer dereferences and integer underflows in the NegoEx mechanism parsing code.

Until the patch or update is applied, users should consider:

• Disabling or removing the NegoEx mechanism from /etc/gss/mech if it is not required.
• Monitoring for unusual crashes or restarts of krb5 services as an indicator of exploitation attempts.
• Running krb5 services with supervision to automatically restart child listeners after crashes, minimizing service disruption.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability in MIT Kerberos 5 (CVE-2026-40355) allows an unauthenticated remote attacker to cause a denial-of-service by crashing the process through a null pointer dereference. This can impact the availability of authentication services relying on MIT Kerberos.

While the vulnerability does not directly compromise confidentiality or integrity of data, the resulting denial-of-service could affect compliance with standards such as GDPR or HIPAA, which require maintaining availability and integrity of systems processing sensitive data.

Organizations relying on MIT Kerberos for authentication should consider this vulnerability as a risk to service availability and apply patches or updates to mitigate potential disruptions that could impact regulatory compliance.

Useful 0 Not Useful 0