CVE-2021-36222

Published: 22 July 2021

ec_verify in kdc/kdc_preauth_ec.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.18.4 and 1.19.x before 1.19.2 allows remote attackers to cause a NULL pointer dereference and daemon crash. This occurs because a return value is not properly managed in a certain situation.

Priority

Medium

CVSS 3 base score: 7.5

Status

Package Release Status
krb5
Launchpad, Ubuntu, Debian
Upstream
Released (1.18.3-6)
Ubuntu 21.10 (Impish Indri) Not vulnerable
(1.18.3-6)
Ubuntu 21.04 (Hirsute Hippo) Needed

Ubuntu 20.04 LTS (Focal Fossa) Needed

Ubuntu 18.04 LTS (Bionic Beaver) Needed

Ubuntu 16.04 ESM (Xenial Xerus) Needs triage

Ubuntu 14.04 ESM (Trusty Tahr) Needs triage

Patches:
Upstream: https://github.com/krb5/krb5/commit/fc98f520caefff2e5ee9a0026fdf5109944b3562
Binaries built from this source package are in Universe and so are supported by the community.