DEBIAN-CVE-2022-42898

Advisory lineage Upstream: 1 Downstream: 4

Upstream

CVE-2022-42898

Downstream

DLA-3206-1 DLA-3213-1 DSA-5286-1 DSA-5287-1

Published: 25 Dec 2022, 06:15

Last modified:28 Apr 2026, 20:24

Vulnerability Summary

Overall Risk (default)

medium

35/100

CVSS Score

8.8 HIGH

3.1 (osv_debian)

EPSS Score

No data

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

25 Dec 2022, 06:15

Published

Vulnerability first disclosed

28 Apr 2026, 20:24

Last Modified

Vulnerability information updated

Description

PAC parsing in MIT Kerberos 5 (aka krb5) before 1.19.4 and 1.20.x before 1.20.1 has integer overflows that may lead to remote code execution (in KDC, kadmind, or a GSS or Kerberos application server) on 32-bit platforms (which have a resultant heap-based buffer overflow), and cause a denial of service on other platforms. This occurs in krb5_pac_parse in lib/krb5/krb/pac.c. Heimdal before 7.7.1 has "a similar bug."

CVSS Metrics

v3.1•HIGH•Score: 8.8CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Systems

debian•heimdal
< 7.7.0+dfsg-2+deb11u2 | < 7.8.git20221115.a6cf945+dfsg-1 | < 7.8.git20221115.a6cf945+dfsg-1 | < 7.8.git20221115.a6cf945+dfsg-1
debian•krb5
< 1.18.3-6+deb11u3 | < 1.20.1-1 | < 1.20.1-1 | < 1.20.1-1
debian•samba
all | < 2:4.17.3+dfsg-1 | < 2:4.17.3+dfsg-1 | < 2:4.17.3+dfsg-1

References (1)

https://security-tracker.debian.org/tracker/CVE-2022-42898