CVE-2026-11850— Krb5: krb5: integer underflow in berval2tl_data() leads to heap out-of-bounds read
Possible ATT&CK Techniques 2AI
T1210 · Exploitation of Remote Services T1068 · Exploitation for Privilege EscalationAffected Version Matrix 7
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Red Hat | Red Hat Enterprise Linux 10 | any | affected |
| Red Hat | Red Hat Enterprise Linux 6 | any | affected |
| Red Hat | Red Hat Enterprise Linux 7 | any | affected |
| Red Hat | Red Hat Enterprise Linux 8 | any | affected |
| Red Hat | Red Hat Enterprise Linux 9 | any | affected |
| Red Hat | Red Hat Hardened Images | 1.22.2-8.hum1< * | unaffected |
| Red Hat | Red Hat OpenShift Container Platform 4 | any | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-11850
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Krb5: krb5: integer underflow in berval2tl_data() leads to heap out-of-bounds read
Source: NVD (National Vulnerability Database)
Vulnerability Description
An integer underflow vulnerability was found in MIT krb5 in the berval2tl_data() function in plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c. The function performs an unsigned subtraction (bv_len - 2) without a prior bounds check. When bv_len is 0 or 1, the subtraction wraps to a large value which is then truncated to uint16_t, yielding 0xFFFE (65534) or 0xFFFF (65535). The subsequent malloc succeeds and memcpy reads up to 65534 bytes from a 0-1 byte buffer, resulting in a heap out-of-bounds read. The attack vector involves a malicious or compromised LDAP KDB backend returning a krbExtraData attribute with bv_len < 2, triggering the underflow when the KDC or kadmind reads principal data.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
整数下溢(超界折返)
Source: NVD (National Vulnerability Database)
Vulnerability Title
MIT krb5 数字错误漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
MIT krb5(MIT Kerberos 5)是美国麻省理工(Massachusetts Institute Of Technology)大学的一套网络认证协议,它采用客户端/服务器结构,并且客户端和服务器端均可对对方进行身份认证(即双重验证),可防止窃听、防止replay攻击等。 MIT krb5存在数字错误漏洞,该漏洞源于berval2tl_data()函数中整数下溢,未进行边界检查的无符号减法导致后续malloc成功并读取超出缓冲区数据,可能导致堆越界读取。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Red Hat | Red Hat Hardened Images | 1.22.2-8.hum1 ~ * | cpe:/a:redhat:hummingbird:1 | |
| Red Hat | Red Hat Enterprise Linux 10 | - | cpe:/o:redhat:enterprise_linux:10 | |
| Red Hat | Red Hat Enterprise Linux 6 | - | cpe:/o:redhat:enterprise_linux:6 | |
| Red Hat | Red Hat Enterprise Linux 7 | - | cpe:/o:redhat:enterprise_linux:7 | |
| Red Hat | Red Hat Enterprise Linux 8 | - | cpe:/o:redhat:enterprise_linux:8 | |
| Red Hat | Red Hat Enterprise Linux 9 | - | cpe:/o:redhat:enterprise_linux:9 | |
| Red Hat | Red Hat OpenShift Container Platform 4 | - | cpe:/a:redhat:openshift:4 |
II. Public POCs for CVE-2026-11850
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-11850
请登录查看更多情报信息。
Vendor Advisories for CVE-2026-11850 (3)
Same Patch Batch · Red Hat · 2026-06-11 · 5 CVEs total
| CVE-2026-11774 | 7.6 HIGH | 389-ds-base: 389-ds-base: integer overflow in sasl packet length bypasses size limit leadi |
| CVE-2026-53701 | 6.5 MEDIUM | Gstreamer1-plugins-bad-free: gstreamer: out-of-bounds write in h.266/vvc pps picture parti |
| CVE-2026-53702 | 6.5 MEDIUM | Gstreamer1-plugins-bad-free: gstreamer: stack buffer overflow in h.265 buffering period se |
| CVE-2026-11986 | 4.9 MEDIUM | Keycloak-rest-admin-ui-ext: authorization bypass vulnerability in the admin-ui-ext bulk ro |
IV. Related Vulnerabilities
Same product: Red Hat Hardened Images
- CVE-2026-12515
Katello: missing repository authorization in content_uploads - CVE-2026-48864
Libsolv: heap buffer overflow in libsolv repopagestore via u - CVE-2026-6732
Libxml2: libxml2: denial of service via crafted xsd-validate - CVE-2026-1584
Gnutls: gnutls: remote denial of service via crafted clienth - CVE-2025-14821
Libssh: libssh: insecure default configuration leads to loca
Same vendor: Red Hat
- CVE-2026-12515
Katello: missing repository authorization in content_uploads - CVE-2026-12528
389-ds-base: 389-ds-base: heap-buffer-overflows in __aclp__n - CVE-2026-12491
Vllm: vllm: image exif rotation & png trns transparency not - CVE-2026-4367
Libxpm: libxpm: denial of service via out-of-bounds read in - CVE-2026-10649
Pacemaker: pacemaker: denial of service via integer overflow
Same weakness: CWE-191
- CVE-2026-54413
driftregion iso14229 缓冲区错误漏洞 - CVE-2026-42542
TDengine has an integer underflow in uvConnMayGetUserInfo() - CVE-2026-42981
Windows Performance Monitor Remote Code Execution Vulnerabil - CVE-2026-42980
NT OS Kernel Elevation of Privilege Vulnerability - CVE-2026-45463
Microsoft Office Remote Code Execution Vulnerability
V. Comments for CVE-2026-11850
No comments yet