Login Sign Up

CVE-2022-3116

7.5 HIGH
Denial of Service

📋 TL;DR

CVE-2022-3116 is a null pointer dereference vulnerability in Heimdal Kerberos 5 implementation. Attackers with network access to applications using vulnerable Heimdal code can cause denial of service crashes. This affects systems running Heimdal Kerberos or applications that depend on it.

💻 Affected Systems

Products:
  • Heimdal Kerberos 5
Versions: Versions prior to 7.7.1
Operating Systems: Linux, Unix-like systems using Heimdal
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects systems where Heimdal Kerberos is installed and applications use the vulnerable code path. Many Linux distributions use MIT Kerberos by default.

📦 What is this software?

Heimdal by Heimdal Project

View all CVEs affecting Heimdal →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Critical applications relying on Heimdal Kerberos crash, causing widespread service disruption and potential cascading failures in dependent systems.

🟠

Likely Case

Targeted applications crash, resulting in denial of service for affected services until restarted.

🟢

If Mitigated

Minimal impact with proper network segmentation and monitoring allowing quick detection and recovery.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires network access to vulnerable service but no authentication. The vulnerability is triggered through specific network packets.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Heimdal 7.7.1 and later

Vendor Advisory: https://github.com/heimdal/heimdal/releases/tag/heimdal-7.7.1

Restart Required: Yes

Instructions:

1. Check current Heimdal version. 2. Update to Heimdal 7.7.1 or later using package manager. 3. Restart affected services using Heimdal Kerberos.

🔧 Temporary Workarounds

Network segmentation

all

Restrict network access to services using Heimdal Kerberos to trusted sources only

Service monitoring and auto-restart

linux

Implement monitoring and automatic restart for vulnerable services

systemctl enable --now vulnerable-service
Configure monitoring to restart on crash

🧯 If You Can't Patch

  • Implement strict network access controls to limit exposure
  • Deploy monitoring with alerting for service crashes and unusual Kerberos traffic

🔍 How to Verify

Check if Vulnerable:

Check Heimdal version: krb5-config --version or check installed packages for heimdal version

Check Version:

krb5-config --version 2>/dev/null || dpkg -l | grep heimdal || rpm -qa | grep heimdal

Verify Fix Applied:

Verify version is 7.7.1 or later: krb5-config --version | grep -q '7\.7\.1\|7\.[8-9]\|7\.[1-9][0-9]\|[8-9]\.[0-9]'

📡 Detection & Monitoring

Log Indicators:

  • Application crashes with segmentation fault
  • Kerberos service termination
  • Core dumps from Heimdal processes

Network Indicators:

  • Unusual Kerberos traffic patterns
  • Connection attempts to Kerberos ports from untrusted sources

SIEM Query:

source="*kerberos*" AND (event="segmentation fault" OR event="core dumped" OR event="crash")

📊 Metadata

CVE ID: CVE-2022-3116
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-476
Published: March 27, 2023
Last Updated: February 24, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-3116, you might also want to check these:

CVE-2022-36648 10.0

This CVE describes a vulnerability in QEMU's hardware emulation where a malformed program executed i...

Same vulnerability type (CWE-476)
CVE-2022-30592 9.8

This vulnerability in LiteSpeed QUIC (LSQUIC) before version 3.1.0 involves improper handling of MAX...

Same vulnerability type (CWE-476)
CVE-2023-47003 9.8

A NULL pointer dereference vulnerability in RedisGraph allows attackers to execute arbitrary code or...

Same vulnerability type (CWE-476)