CVE-2024-26461: 
Kerberos vulnerability analysis and mitigation

Kerberos 5 (krb5) version 1.21.2 contains a memory leak vulnerability in the file /krb5/src/lib/gssapi/krb5/k5sealv3.c. The vulnerability was discovered in February 2024 and affects various systems and applications that use the MIT Kerberos 5 implementation (MITRE CVE, NVD).

The vulnerability occurs in the k5sealv3.c file where a memory leak is present in the allocation of resources. The issue specifically involves a variable named 'plain' defined on line 110, which is passed to the allocdata function. When certain conditions are met, the program jumps to an error label without properly releasing the allocated memory. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (CISA-ADP, [GitHub Analysis](https://github.com/LuMingYinDetect/krb5defects/blob/main/krb5detect2.md)).

The vulnerability could potentially lead to resource exhaustion and denial of service (DoS) attacks. However, according to upstream developers, the leak affects an encoding function and occurs on a bounds check which likely cannot be triggered with any choice of memory-valid API inputs (Ubuntu Notes).

The vulnerability has been fixed in various versions of affected systems. For example, Ubuntu has released fixes in versions 1.21.3-3ubuntu0.2 (24.10), 1.20.1-6ubuntu2.5 (24.04 LTS), and 1.19.2-2ubuntu0.6 (22.04 LTS). The fix is also available in krb5 version 1.21.3-4 for Debian systems (Ubuntu Security, NetApp Advisory).