microsoft · kgodara912 · May 11, 2026 · May 1, 2026 · May 8, 2026
@@ -0,0 +1,66 @@
+From 0c8b9f176c00897ad2ef323da52a3b95f023c612 Mon Sep 17 00:00:00 2001
+From: Greg Hudson <ghudson@mit.edu>
+Date: Wed, 8 Apr 2026 17:57:59 -0400
+Subject: [PATCH] Fix two NegoEx parsing vulnerabilities
+
+In parse_nego_message(), check the result of the second call to
+vector_base() before dereferencing it.  In parse_message(), check for
+a short header_len to prevent an integer underflow when calculating
+the remaining message length.
+
+Reported by Cem Onat Karagun.
+
+CVE-2026-40355:
+
+In MIT krb5 release 1.18 and later, if an application calls
+gss_accept_sec_context() on a system with a NegoEx mechanism
+registered in /etc/gss/mech, an unauthenticated remote attacker can
+trigger a null pointer dereference, causing the process to terminate.
+
+CVE-2026-40356:
+
+In MIT krb5 release 1.18 and later, if an application calls
+gss_accept_sec_context() on a system with a NegoEx mechanism
+registered in /etc/gss/mech, an unauthenticated remote attacker can
+trigger a read overrun of up to 52 bytes, possibly causing the process
+to terminate.  Exfiltration of the bytes read does not appear
+possible.
+
+ticket: 9205 (new)
+tags: pullup
+target_version: 1.22-next
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://github.com/krb5/krb5/commit/2e75f0d9362fb979f5fc92829431a590a130929f.patch
+---
+ src/lib/gssapi/spnego/negoex_util.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/src/lib/gssapi/spnego/negoex_util.c b/src/lib/gssapi/spnego/negoex_util.c
+index edc5462..a65238e 100644
+--- a/src/lib/gssapi/spnego/negoex_util.c
++++ b/src/lib/gssapi/spnego/negoex_util.c
+@@ -253,6 +253,10 @@ parse_nego_message(OM_uint32 *minor, struct k5input *in,
+     offset = k5_input_get_uint32_le(in);
+     count = k5_input_get_uint16_le(in);
+     p = vector_base(offset, count, EXTENSION_LENGTH, msg_base, msg_len);
++    if (p == NULL) {
++        *minor = ERR_NEGOEX_INVALID_MESSAGE_SIZE;
++        return GSS_S_DEFECTIVE_TOKEN;
++    }
+     for (i = 0; i < count; i++) {
+         extension_type = load_32_le(p + i * EXTENSION_LENGTH);
+         if (extension_type & EXTENSION_FLAG_CRITICAL) {
+@@ -391,7 +395,8 @@ parse_message(OM_uint32 *minor, spnego_gss_ctx_id_t ctx, struct k5input *in,
+     msg_len = k5_input_get_uint32_le(in);
+     conv_id = k5_input_get_bytes(in, GUID_LENGTH);
+
+-    if (in->status || msg_len > token_remaining || header_len > msg_len) {
++    if (in->status || msg_len > token_remaining ||
++        header_len < (size_t)(in->ptr - msg_base) || header_len > msg_len) {
+         *minor = ERR_NEGOEX_INVALID_MESSAGE_SIZE;
+         return GSS_S_DEFECTIVE_TOKEN;
+     }
+-- 
+2.45.4
+
@@ -4,7 +4,7 @@
 Summary:        The Kerberos newtork authentication system
 Name:           krb5
 Version:        1.21.3
-Release:        3%{?dist}
+Release:        4%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -14,6 +14,7 @@ Source0:        https://kerberos.org/dist/%{name}/%{maj_version}/%{name}-%{versi
 Source1:        krb5.conf
 Patch0:         CVE-2024-26461.patch
 Patch1:         CVE-2025-24528.patch
+Patch2:         CVE-2026-40356.patch
 BuildRequires:  e2fsprogs-devel
 BuildRequires:  openssl-devel
 Requires:       e2fsprogs-libs
@@ -127,6 +128,9 @@ make check
 %{_datarootdir}/locale/*
 
 %changelog
+* Fri May 01 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 1.21.3-4
+- Patch for CVE-2026-40356
+
 * Wed Jan 21 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 1.21.3-3
 - Patch for CVE-2025-24528
 

@@ -195,8 +195,8 @@ libsolv-0.7.28-3.azl3.aarch64.rpm
 libsolv-devel-0.7.28-3.azl3.aarch64.rpm
 libssh2-1.11.1-1.azl3.aarch64.rpm
 libssh2-devel-1.11.1-1.azl3.aarch64.rpm
-krb5-1.21.3-3.azl3.aarch64.rpm
-krb5-devel-1.21.3-3.azl3.aarch64.rpm
+krb5-1.21.3-4.azl3.aarch64.rpm
+krb5-devel-1.21.3-4.azl3.aarch64.rpm
 nghttp2-1.61.0-3.azl3.aarch64.rpm
 nghttp2-devel-1.61.0-3.azl3.aarch64.rpm
 curl-8.11.1-6.azl3.aarch64.rpm

@@ -195,8 +195,8 @@ libsolv-0.7.28-3.azl3.x86_64.rpm
 libsolv-devel-0.7.28-3.azl3.x86_64.rpm
 libssh2-1.11.1-1.azl3.x86_64.rpm
 libssh2-devel-1.11.1-1.azl3.x86_64.rpm
-krb5-1.21.3-3.azl3.x86_64.rpm
-krb5-devel-1.21.3-3.azl3.x86_64.rpm
+krb5-1.21.3-4.azl3.x86_64.rpm
+krb5-devel-1.21.3-4.azl3.x86_64.rpm
 nghttp2-1.61.0-3.azl3.x86_64.rpm
 nghttp2-devel-1.61.0-3.azl3.x86_64.rpm
 curl-8.11.1-6.azl3.x86_64.rpm

@@ -162,10 +162,10 @@ kernel-headers-6.6.134.1-2.azl3.noarch.rpm
 kmod-30-1.azl3.aarch64.rpm
 kmod-debuginfo-30-1.azl3.aarch64.rpm
 kmod-devel-30-1.azl3.aarch64.rpm
-krb5-1.21.3-3.azl3.aarch64.rpm
-krb5-debuginfo-1.21.3-3.azl3.aarch64.rpm
-krb5-devel-1.21.3-3.azl3.aarch64.rpm
-krb5-lang-1.21.3-3.azl3.aarch64.rpm
+krb5-1.21.3-4.azl3.aarch64.rpm
+krb5-debuginfo-1.21.3-4.azl3.aarch64.rpm
+krb5-devel-1.21.3-4.azl3.aarch64.rpm
+krb5-lang-1.21.3-4.azl3.aarch64.rpm
 libacl-2.3.1-2.azl3.aarch64.rpm
 libacl-devel-2.3.1-2.azl3.aarch64.rpm
 libarchive-3.7.7-6.azl3.aarch64.rpm

@@ -170,10 +170,10 @@ kernel-headers-6.6.134.1-2.azl3.noarch.rpm
 kmod-30-1.azl3.x86_64.rpm
 kmod-debuginfo-30-1.azl3.x86_64.rpm
 kmod-devel-30-1.azl3.x86_64.rpm
-krb5-1.21.3-3.azl3.x86_64.rpm
-krb5-debuginfo-1.21.3-3.azl3.x86_64.rpm
-krb5-devel-1.21.3-3.azl3.x86_64.rpm
-krb5-lang-1.21.3-3.azl3.x86_64.rpm
+krb5-1.21.3-4.azl3.x86_64.rpm
+krb5-debuginfo-1.21.3-4.azl3.x86_64.rpm
+krb5-devel-1.21.3-4.azl3.x86_64.rpm
+krb5-lang-1.21.3-4.azl3.x86_64.rpm
 libacl-2.3.1-2.azl3.x86_64.rpm
 libacl-devel-2.3.1-2.azl3.x86_64.rpm
 libarchive-3.7.7-6.azl3.x86_64.rpm