Published: 23 August 2021
The Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.18.5 and 1.19.x before 1.19.3 has a NULL pointer dereference in kdc/do_tgs_req.c via a FAST inner body that lacks a server field.
CVSS 3 base score: 6.5
this vulnerability was introduced by commit 39548a5, as established by upstream. Prior to this commit, an error would occur instead of the null deference. In the patch notes, the CVE is described as affecting releases 1.14 and later only (meaning that xenial and trusty are not affected by this).