CVE-2024-26461: 
Kerberos vulnerability analysis and mitigation

Kerberos 5 (krb5) version 1.21.2 contains a memory leak vulnerability in the file /krb5/src/lib/gssapi/krb5/k5sealv3.c. The vulnerability was discovered in February 2024 and affects various systems and applications that use the MIT Kerberos 5 implementation (MITRE CVE, NVD).

The vulnerability occurs in the k5sealv3.c file where a memory leak is present in the allocation of resources. The issue specifically involves a variable named 'plain' defined on line 110, which is passed to the alloc_data function. When certain conditions are met, the program jumps to an error label without properly releasing the allocated memory. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (CISA-ADP, GitHub Analysis).

The vulnerability could potentially lead to resource exhaustion and denial of service (DoS) attacks. However, according to upstream developers, the leak affects an encoding function and occurs on a bounds check which likely cannot be triggered with any choice of memory-valid API inputs (Ubuntu Notes).

The vulnerability has been fixed in various versions of affected systems. For example, Ubuntu has released fixes in versions 1.21.3-3ubuntu0.2 (24.10), 1.20.1-6ubuntu2.5 (24.04 LTS), and 1.19.2-2ubuntu0.6 (22.04 LTS). The fix is also available in krb5 version 1.21.3-4 for Debian systems (Ubuntu Security, NetApp Advisory).