CVE-2026-11850
MediumCVSS 5.0Exploitation Probability (EPSS)
Low risk11th percentile — higher than 11% of all known CVEs
Summary
An integer underflow vulnerability was found in the berval2tl_data() function in MIT krb5, which can lead to out-of-bounds memory reads. The issue occurs when the buffer length (bv_len) is 0 or 1, causing incorrect calculations and reading up to 65534 bytes from a 0-1 byte buffer.
Risk Assessment
An attacker could exploit this vulnerability to access memory outside the allocated area, potentially leading to the disclosure of sensitive data or system instability. The risk is heightened in the case of a malicious or compromised LDAP KDB backend.
Recommendation
It is recommended to update to the latest version of MIT krb5 that addresses this vulnerability. Additionally, an audit of the LDAP KDB backend configuration should be conducted to minimize the risk of attack.
Original NVD description (English source)
An integer underflow vulnerability was found in MIT krb5 in the berval2tl_data() function in plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c. The function performs an unsigned subtraction (bv_len - 2) without a prior bounds check. When bv_len is 0 or 1, the subtraction wraps to a large value which is then truncated to uint16_t, yielding 0xFFFE (65534) or 0xFFFF (65535). The subsequent malloc succeeds and memcpy reads up to 65534 bytes from a 0-1 byte buffer, resulting in a heap out-of-bounds read. The attack vector involves a malicious or compromised LDAP KDB backend returning a krbExtraData attribute with bv_len < 2, triggering the underflow when the KDC or kadmind reads principal data.

