A severe denial-of-service vulnerability tracked as CVE-2026-40355 has been discovered in MIT Kerberos 5, the widely used reference implementation of the Kerberos network authentication protocol. Systems running versions prior to 1.22.3 are exposed to a flaw that can crash or hang services simply by processing a maliciously crafted GSSAPI security context when the NegoEx mechanism is registered. The fix is available in MIT krb5 release 1.22.3, and all administrators of affected systems must apply it immediately.

The vulnerability resides in the Generic Security Services Application Program Interface (GSSAPI) layer, specifically in how it handles Negotiate Extensions (NegoEx). GSSAPI provides a standard way for applications to use various security mechanisms, and NegoEx is a mechanism used to negotiate the selection of an underlying authentication protocol, often as part of SPNEGO. When NegoEx is registered as an available mechanism, an attacker can send specially constructed GSSAPI tokens that trigger an infinite loop or a null-pointer dereference, leading to resource exhaustion and service disruption.

How the Vulnerability Works

At its core, CVE-2026-40355 exploits a logic error in the token processing routine of the NegoEx module within MIT krb5. NegoEx operates by exchanging tokens between client and server to agree on a common authentication mechanism. The attacker delivers a token containing a specific combination of extensions and control flags that confuses the server's state machine. The server then enters an unrecoverable loop or attempts to access an uninitialized pointer, causing the process to abort. No authentication or prior access is required; unauthenticated remote attackers can trigger the DoS on any service listening with GSSAPI and NegoEx enabled.

The affected code path is reached during the very first context establishment step, meaning that simply presenting a malformed initial token is sufficient. This makes the attack extremely low-cost and easily automatable. Because GSSAPI is used in many critical services—SSH, HTTP, LDAP, NFS, and database connectors—the blast radius is significant.

The Role of NegoEx in Modern Authentication

NegoEx, short for Negotiate Extensions, is not an authentication protocol itself but rather a meta-mechanism that helps two parties decide which security protocol to use. It was originally introduced by Microsoft as an extension to the Negotiate SSP (Security Support Provider) and is implemented in Windows for Kerberos, NTLM, and other SSPs. MIT Kerberos added NegoEx support to improve interoperability with Windows domains and to enable more flexible protocol selection in heterogeneous environments.

In a typical GSSAPI-using application, an acceptor (server) advertises a list of supported mechanisms. When NegoEx is one of them, the initiator (client) may choose it to negotiate the final mechanism—often Kerberos or NTLM. The negotiation involves one or more round trips of opaque tokens. CVE-2026-40355 lies in the acceptor's handling of a specific NegoEx message type, where insufficient validation of the message length and content triggers undefined behavior.

Affected Systems and Software

Any software relying on MIT krb5 versions before 1.22.3 and having NegoEx enabled as a GSSAPI mechanism is vulnerable. This includes:

  • Linux and UNIX servers using MIT krb5 for SSH (with GSSAPIAuthentication), Apache with mod_auth_gssapi, PostgreSQL, MySQL, or other services that employ GSSAPI.
  • Cyrus SASL installations where GSSAPI is used and NegoEx is present.
  • Container images and appliances that bundle MIT krb5; many minimal images may not expose the services directly, but if they process GSSAPI tokens, they are at risk.
  • Cross‑realm trust setups where a MIT KDC interacts with Active Directory and NegoEx is involved in the authentication flow.
  • Custom applications that link libgssapi_krb5 and register the NegoEx mech.

Windows systems that rely exclusively on the built‑in Kerberos implementation (Kerberos.dll) are not directly affected by this MIT krb5 flaw. However, many Windows environments run Linux subsystems, WSL instances, or third‑party software that bundles MIT Kerberos. Additionally, services like OpenSSH on Windows can use MIT Kerberos if configured to do so. Administrators should identify any non‑Windows hosts or cross‑platform tools that use MIT krb5.

Impact and Severity

CVE-2026-40355 has a CVSS v3.1 base score of 7.5 (High), reflecting its network‑based attack vector, low complexity, and no privilege or user interaction requirements. The primary impact is availability loss; confidentiality and integrity remain intact. However, the ease of exploitation elevates the urgency.

Service‑side denial‑of‑service attacks in authentication stacks are especially dangerous because they can be launched against any exposed port that starts a GSSAPI session. For example, an attacker could target an internet‑facing SSH server, sending one crafted token per connection attempt. If not rate‑limited, this could exhaust RAM or CPU, making the server unresponsive. In cloud environments, auto‑scaling might mask the attack but incur significant cost.

Moreover, because the flaw is in the mech library rather than in a particular service, the same vulnerability can be used to crash multiple different daemons on the same host, enabling a lateral‑movement DoS within a network.

Mitigation and Remediation

Apply the patch immediately. The MIT krb5 project has released version 1.22.3 with a comprehensive fix. The corrected code adds proper bounds checks and a timeout for the negotiation loop, eliminating both the infinite loop and the null pointer access. Upgrading is strongly recommended over partial mitigations.

For systems where upgrading is not immediately possible, consider these workarounds:

  • Disable NegoEx by removing or renaming the negoex.so shared object from the MIT krb5 GSSAPI mech plug‑in directory. The default location is /usr/lib/x86_64-linux-gnu/gssapi/ or /usr/lib64/gssapi/, but it may vary. After removal, mechanisms will fall back to standard Kerberos GSSAPI or other alternatives.
  • Disable GSSAPI authentication on exposed services if it is not essential. For SSH, set GSSAPIAuthentication no in sshd_config. For HTTP, disable the corresponding authentication module.
  • Restrict access to vulnerable services using firewalls or network ACLs to trusted IP ranges.
  • Deploy application‑layer rate limiting to dent frequent GSSAPI session initiations from unknown clients.

Note that simply blocking a specific NegoEx message type is not feasible because the vulnerability is triggered by a sequence of bytes that appear normal until processing reaches the flawed logic.

How to Verify Your Exposure

Administrators can check whether a MIT krb5 installation has the vulnerable NegoEx module:

# Locate the mech plug‑in directory
find / -name \"negoex.so\" 2>/dev/null

If the file exists, check the version of krb5:

klist -V   # or rpm -q krb5-libs  / dpkg -l libkrb5-3

Version strings earlier than 1.22.3 indicate vulnerability.

To test if NegoEx is actively being used, a quick GSSAPI mechanism enumeration can be performed:

gss-client -mechs | grep -i negoex

If it appears in the list, the mech is registered.

Broader Implications for Windows Shops

While the CVE targets MIT Kerberos, it exemplifies a recurring risk in mixed environments. Many enterprises run Active Directory alongside Linux servers, and cross‑realm authentication often pushes NegoEx into play. A successful DoS against Linux servers could disrupt services like SQL databases running on those hosts, indirectly affecting Windows applications that depend on them.

Microsoft has acknowledged that its own Negotiate SSP implementation is not vulnerable to this specific flaw, but it closely monitors interoperability bugs. Security teams should revisit their GSSAPI and NegoEx configurations, ensuring that only necessary mechanisms are active on each host. This incident also highlights the importance of keeping cross‑platform dependencies up to date—a Linux server running an old MIT krb5 is as dangerous as an unpatched Windows server.

Lessons and Long‑term Practices

  • Audit GSSAPI mechanism registrations. Limit the mechs loaded by each application to those actually required.
  • Treat authentication stacks as critical attack surface. Even protocol negotiation code deserves the same scrutiny as application logic.
  • Monitor security advisories from all software components. MIT Kerberos is often overlooked because it ships with the operating system.
  • Test patching in a staging environment. While the 1.22.3 patch is safe, always verify that your specific applications work correctly after removing or updating NegoEx.

References and Further Reading

  • MIT Kerberos Version 1.22.3 Release Notes: outlines the fix for CVE-2026-40355.
  • NIST National Vulnerability Database entry for CVE-2026-40355.
  • Microsoft Negotiate Extensions (NegoEx) documentation.
  • GSSAPI/NegoEx IETF draft specifications.

Affected users should subscribe to the krb5-announce mailing list for immediate notifications of future vulnerabilities. Security teams that manage identity and authentication infrastructure must prioritize this patch to prevent trivial take‑downs of critical services.