CVE-2021-37750

MEDIUM
Published Aug 23, 20214y ago · Modified Jun 17, 20262w ago
6.5 CVSS 3.1
Medium
Find Similar
Published Aug 23, 2021 4y ago
Last Modified Jun 17, 2026 2w ago

Description

The Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.18.5 and 1.19.x before 1.19.3 has a NULL pointer dereference in kdc/do_tgs_req.c via a FAST inner body that lacks a server field.

CVSS Details

Base Score
6.5
Exploitability
2.8
Impact
3.6
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

No active exploitation signals — not in CISA KEV and no EPSS score yet.

Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-476 NULL Pointer Dereference Memory Safety

Affected Products 6

VendorProductVersionRange
mitkerberos_5* <1.18.5
mitkerberos_5*≥1.19.0  –  <1.19.3
fedoraprojectfedora33any
debiandebian_linux9.0any
starwindsoftwarestarwind_virtual_sanv8r13any
oraclecommunications_cloud_native_core_network_slice_selection_function22.1.0any

References 8

  • github.com https://github.com/krb5/krb5/commit/d775c95af7606a51bf79547a94fa52ddd1cb7f49
    PatchThird Party Advisory
  • github.com https://github.com/krb5/krb5/releases
    Release NotesThird Party Advisory
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2021/09/msg00019.html
    Mailing ListThird Party Advisory
  • lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MFCLW7D46E4VCREKKH453T5DA4XOLHU2/
  • security.netapp.com https://security.netapp.com/advisory/ntap-20210923-0002/
    Third Party Advisory
  • web.mit.edu https://web.mit.edu/kerberos/advisories/
    Vendor Advisory
  • oracle.com https://www.oracle.com/security-alerts/cpujul2022.html
    PatchThird Party Advisory
  • starwindsoftware.com https://www.starwindsoftware.com/security/sw-20220817-0004/
    Third Party Advisory

Remediation

  • github.com https://github.com/krb5/krb5/commit/d775c95af7606a51bf79547a94fa52ddd1cb7f49
    PatchThird Party Advisory
  • oracle.com https://www.oracle.com/security-alerts/cpujul2022.html
    PatchThird Party Advisory