CVE-2025-59089: 
Rocky Linux vulnerability analysis and mitigation

CVE-2025-59089 is a vulnerability in python-kdcproxy that was disclosed on November 12, 2025. The vulnerability affects the kdcproxy component when handling TCP response buffering. When kdcproxy connects to a KDC server, it does not enforce bounds on TCP response length, allowing an attacker to conduct denial-of-service attacks (NVD, Red Hat).

The vulnerability exists because kdcproxy copies the entire buffered stream into a new buffer on each recv() call, even when the transfer is incomplete, causing excessive memory allocation and CPU usage. Additionally, kdcproxy accepts incoming response chunks as long as the received data length is not exactly equal to the length indicated in the response header, even when individual chunks or the total buffer exceed the maximum length of a Kerberos message. The vulnerability has been assigned a CVSS v3.1 base score of 5.9 (Medium) with vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD).

An attacker can exploit this vulnerability to send unbounded data until the connection timeout is reached (approximately 12 seconds), exhausting server memory or CPU resources. Multiple concurrent requests can cause accept queue overflow, denying service to legitimate clients (NVD).

The vulnerability has been fixed in a patch that interrupts receiving of messages that exceed maximum Kerberos message length, prevents accepting messages longer than expected length, and optimizes buffer exports to occur only once after receiving process is completed. The fix is available through multiple Red Hat security advisories for different versions (GitHub PR).