CVE-2026-11850
Awaiting Analysis Awaiting Analysis - Queue
Integer Underflow in MIT krb5 LDAP KDB Backend

Publication date: 2026-06-11

Last updated on: 2026-06-11

Assigner: Red Hat, Inc.

Description
An integer underflow vulnerability was found in MIT krb5 in the berval2tl_data() function in plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c. The function performs an unsigned subtraction (bv_len - 2) without a prior bounds check. When bv_len is 0 or 1, the subtraction wraps to a large value which is then truncated to uint16_t, yielding 0xFFFE (65534) or 0xFFFF (65535). The subsequent malloc succeeds and memcpy reads up to 65534 bytes from a 0-1 byte buffer, resulting in a heap out-of-bounds read. The attack vector involves a malicious or compromised LDAP KDB backend returning a krbExtraData attribute with bv_len < 2, triggering the underflow when the KDC or kadmind reads principal data.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-11
Last Modified
2026-06-11
Generated
2026-06-11
AI Q&A
2026-06-11
EPSS Evaluated
N/A
NVD
CVE-2026-11850
EUVD
EUVD-2026-36219
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
mit krb5 *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-191 The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

This vulnerability occurs when a malicious or compromised LDAP KDB backend returns a krbExtraData attribute with bv_len less than 2, triggering an integer underflow in the MIT krb5 berval2tl_data() function.

Detection would involve monitoring or inspecting LDAP KDB backend responses for anomalous krbExtraData attributes with unusually small bv_len values (0 or 1).

Specific commands or tools to detect this vulnerability are not provided in the available resources.

Executive Summary

CVE-2026-11850 is an integer underflow vulnerability in the MIT krb5 software, specifically in the berval2tl_data() function within the LDAP plugin code. The function performs an unsigned subtraction (bv_len - 2) without first checking if bv_len is at least 2. When bv_len is 0 or 1, this subtraction wraps around to a very large number (65534 or 65535), which is then truncated to a 16-bit unsigned integer. This causes a heap out-of-bounds read because memcpy attempts to read up to 65534 bytes from a buffer that only contains 0 or 1 byte.

The vulnerability can be triggered if a malicious or compromised LDAP KDB backend returns a krbExtraData attribute with bv_len less than 2, causing the Kerberos Key Distribution Center (KDC) or kadmind to read principal data and trigger the underflow.

Impact Analysis

This vulnerability can lead to a heap out-of-bounds read, which may cause the affected application to crash or behave unpredictably. Since the vulnerability involves reading memory beyond the intended buffer, it could potentially be exploited to leak sensitive information or cause denial of service.

The attack requires a malicious or compromised LDAP KDB backend to supply crafted data, so the impact depends on the trustworthiness of the LDAP backend and the environment in which MIT krb5 is deployed.

Mitigation Strategies

Immediate mitigation involves ensuring that your MIT krb5 installation is updated with the upstream fix that addresses the integer underflow in the berval2tl_data() function.

Additionally, restrict or verify the integrity of LDAP KDB backends to prevent malicious or compromised servers from returning crafted krbExtraData attributes that trigger this vulnerability.

No specific mitigation commands or workarounds are detailed in the provided resources.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11850. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart