CVE-2024-26458: 
Kerberos vulnerability analysis and mitigation

Kerberos 5 (krb5) version 1.21.2 contains a memory leak vulnerability in the file /krb5/src/lib/rpc/pmap_rmt.c. The vulnerability was disclosed on February 28, 2024, and affects the core Kerberos authentication system (NVD, Ubuntu).

The vulnerability stems from a memory leak in the pmaprmt.c file where a variable named portptr is allocated memory but not properly freed. Specifically, if the xdruint32 function call returns false after memory allocation, the program returns without freeing the allocated memory region. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N (NVD, GitHub Analysis).

The memory leak vulnerability could potentially lead to resource exhaustion and denial of service (DoS) attacks. However, it's worth noting that the affected function pmap_rmtcall() is unused by the rest of the krb5 code base and likely unused by other implementations (Ubuntu).

The vulnerability has been fixed in subsequent releases of Kerberos 5. Various vendors have released patches for their affected products. For instance, Red Hat has released security updates for RHEL 8 systems, and NetApp has provided patches for affected products including ONTAP 9.12.1P14, 9.13.1P11, 9.14.1P6, and 9.15.1 (Red Hat Advisory, NetApp Advisory).