CVE-2024-26462: 
Kerberos vulnerability analysis and mitigation

Kerberos 5 (krb5) version 1.21.2 contains a memory leak vulnerability in /krb5/src/kdc/ndr.c. The vulnerability was discovered and disclosed in February 2024, affecting multiple systems and software that incorporate MIT Kerberos 5 (NVD, NetApp Advisory).

The vulnerability exists in the ndr.c file where a struct named b is defined and its address is passed to the k5bufinitdynamic function. The function allocates dynamic memory for buf->data using malloc, but if the if statement on line 102 evaluates to true, the program returns on line 103 without freeing the allocated memory region, resulting in a memory leak. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD, [GitHub Analysis](https://github.com/LuMingYinDetect/krb5defects/blob/main/krb5detect3.md)).

The vulnerability can lead to denial of service through memory exhaustion. When successfully exploited, it could trigger if the input contains invalid UTF-8, though it may require elevated privileges (NetApp Advisory).

Various vendors have released patches to address this vulnerability. For example, NetApp has provided fixes for affected products through their Management Services for Element Software and NetApp HCI in version 2.25.42 (NetApp Advisory).