Headline
CVE-2022-3116: CERT/CC Vulnerability Note VU#730793
The Heimdal Software Kerberos 5 implementation is vulnerable to a null pointer dereferance. An attacker with network access to an application that depends on the vulnerable code path can cause the application to crash.
CERT Coordination Center
Heimdal Kerberos vulnerable to remotely triggered NULL pointer dereference
Vulnerability Note VU#730793
Original Release Date: 2022-10-07 | Last Revised: 2023-01-12
Overview
The Heimdal Software Kerberos 5 implementation is vulnerable to a null pointer dereferance. An attacker with network access to an application that depends on the vulnerable code path can cause the application to crash.
Description
CVE-2022-3116 A flawed logical condition in lib/gssapi/spnego/accept_sec_context.c allows a malicious actor to remotely trigger a NULL pointer dereference using a crafted negTokenInit token.
Impact
An attacker can use a specially crafted network packet to cause a vulnerable application to crash.
Solution
The latest version of code in the Heimdal master branch fixes the issue. However, the current stable release 7.7.0 does not include the fix.
Acknowledgements
Thanks to Internet Systems Consortium for reporting the vulnerability.
This document was written by Kevin Stephens.
Vendor Information
Filter by content: Additional information available
Sort by:
Other Information
CVE IDs:
CVE-2022-3116
API URL:
VINCE JSON | CSAF
Date Public:
2022-10-07
Date First Published:
2022-10-07
Date Last Updated:
2023-01-12 16:18 UTC
Document Revision:
5