CVE-2024-26461 – CVE-2024-26461 is a memory leak vulnerability i... (How to Fix)

Q: What is the severity of CVE-2024-26461?

CVE-2024-26461 has a CVSS score of 7.5 (HIGH). CVE-2024-26461 is a memory leak vulnerability in Kerberos 5's GSSAPI sealing implementation that can lead to denial of service through resource exhaustion. Systems using krb5 1.21.2 for authentication are affected, particularly those with high-volume GSSAPI traffic. The vulnerability resides in the k5sealv3.c component of the krb5 library.

📋 TL;DR

CVE-2024-26461 is a memory leak vulnerability in Kerberos 5's GSSAPI sealing implementation that can lead to denial of service through resource exhaustion. Systems using krb5 1.21.2 for authentication are affected, particularly those with high-volume GSSAPI traffic. The vulnerability resides in the k5sealv3.c component of the krb5 library.

💻 Affected Systems

Products:

Kerberos 5 (krb5)
Any software using krb5 GSSAPI implementation

Versions: krb5 1.21.2 specifically

Operating Systems: Linux, Unix-like systems, Any OS using affected krb5 version

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems using GSSAPI sealing functionality. The vulnerability is triggered during normal GSSAPI operations, not requiring special configuration.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system unavailability due to memory exhaustion, causing authentication failures and service disruption across dependent applications.

🟠

Likely Case

Gradual performance degradation and intermittent authentication failures under sustained GSSAPI usage, eventually requiring service restarts.

🟢

If Mitigated

Minimal impact with proper monitoring and resource limits, though memory consumption may still increase over time.

🌐 Internet-Facing: MEDIUM - While exploitation requires GSSAPI usage, internet-facing services using Kerberos authentication could be targeted to cause service disruption.

🏢 Internal Only: HIGH - Internal systems with heavy Kerberos/GSSAPI traffic are most susceptible to resource exhaustion attacks.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW - The memory leak occurs during normal GSSAPI operations, making exploitation straightforward through repeated usage.

Exploitation requires the ability to trigger GSSAPI sealing operations, which typically requires authentication or service access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: krb5 1.21.3 or later

Vendor Advisory: https://security.netapp.com/advisory/ntap-20240415-0011/

Restart Required: Yes

Instructions:

1. Check current krb5 version: krb5-config --version
2. Update krb5 package using system package manager
3. For source installations: download krb5 1.21.3+ from MIT Kerberos website
4. Recompile and reinstall krb5
5. Restart all services using krb5/GSSAPI

🔧 Temporary Workarounds

Limit GSSAPI usage

all

Reduce exposure by limiting applications that use GSSAPI sealing or implementing rate limiting

Memory monitoring and restart

linux

Implement monitoring for krb5-related processes and restart services when memory usage exceeds thresholds

# Monitor krb5 process memory: ps aux | grep -i krb5
# Set up alerting for memory growth in monitoring tools

🧯 If You Can't Patch

Implement strict memory limits for krb5-related processes using cgroups or ulimits
Deploy network segmentation to limit which systems can trigger GSSAPI operations

🔍 How to Verify

Check if Vulnerable:

Check if krb5 version is exactly 1.21.2: krb5-config --version | grep '1.21.2'

Check Version:

krb5-config --version || krb5kdc --version || klist -V 2>/dev/null | head -1

Verify Fix Applied:

Verify krb5 version is 1.21.3 or higher: krb5-config --version

📡 Detection & Monitoring

Log Indicators:

Unusual memory growth in krb5 processes
Increased OOM killer activity for krb5-related processes
Authentication failures correlated with memory exhaustion

Network Indicators:

Abnormally high volume of GSSAPI traffic to single endpoints
Repeated GSSAPI context establishment failures

SIEM Query:

process.name:krb5 AND memory.usage > threshold OR event.type:authentication_failure AND service:kerberos

📊 Metadata

CVE ID: CVE-2024-26461

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-770

Published: February 29, 2024

Last Updated: May 23, 2025

🔗 References

https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_2.md Exploit
https://security.netapp.com/advisory/ntap-20240415-0011/ Third Party Advisory
https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_2.md Exploit
https://security.netapp.com/advisory/ntap-20240415-0011/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-26461, you might also want to check these: