CVE-2024-37371

moderate-risk

Published 2024-06-28

In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can cause invalid memory reads during GSS message token handling by sending message tokens with invalid length fields.

Do I need to act?

2.6% chance of exploitation in next 30 days

EPSS score — moderate exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 9.1/10 Critical

NETWORK / LOW complexity

Affected Products (3)

Kerberos 5

Debian Linux

Affected Vendors

Debian Mit

References (6)

Patch https://github.com/krb5/krb5/commit/55fbf435edbe2e92dd8101669b1ce7144bc96fef

Vendor Advisory https://web.mit.edu/kerberos/www/advisories/

Patch https://github.com/krb5/krb5/commit/55fbf435edbe2e92dd8101669b1ce7144bc96fef

https://security.netapp.com/advisory/ntap-20241108-0009/

https://security.netapp.com/advisory/ntap-20250124-0010/

Vendor Advisory https://web.mit.edu/kerberos/www/advisories/

/ 100

moderate-risk

Severity 31/34 · Critical

Exploitability 6/34 · Minimal

Exposure 9/34 · Low