CVE-2026-11850: Integer Underflow (Wrap or Wraparound) in Red Hat Red Hat Enterprise Linux 10
An integer underflow vulnerability was found in MIT krb5 in the berval2tl_data() function in plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c. The function performs an unsigned subtraction (bv_len - 2) without a prior bounds check. When bv_len is 0 or 1, the subtraction wraps to a large value which is then truncated to uint16_t, yielding 0xFFFE (65534) or 0xFFFF (65535). The subsequent malloc succeeds and memcpy reads up to 65534 bytes from a 0-1 byte buffer, resulting in a heap out-of-bounds read. The attack vector involves a malicious or compromised LDAP KDB backend returning a krbExtraData attribute with bv_len < 2, triggering the underflow when the KDC or kadmind reads principal data.
AI Analysis
Technical Summary
CVE-2026-11850 is an integer underflow vulnerability in the berval2tl_data() function of MIT krb5, specifically in the LDAP KDB backend code (plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c). The function subtracts 2 from an unsigned length (bv_len) without verifying that bv_len is at least 2. If bv_len is 0 or 1, the subtraction wraps around to a large unsigned value (0xFFFE or 0xFFFF), which is then truncated to uint16_t. This results in a large malloc allocation and a memcpy operation that reads far beyond the actual buffer size (0 or 1 byte), causing a heap out-of-bounds read. The vulnerability can be exploited when the KDC or kadmind reads principal data from a malicious or compromised LDAP KDB backend that returns a krbExtraData attribute with bv_len less than 2.
Potential Impact
The vulnerability allows a heap out-of-bounds read in the Kerberos KDC or kadmind processes when handling LDAP KDB backend data. According to the CVSS vector, the attack requires network access with high attack complexity and privileges (PR:H), no user interaction, and impacts availability (A:H) and confidentiality (C:L) but not integrity. This could lead to denial of service or limited information disclosure. There are no known exploits in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. The Red Hat advisory linked does not specify an official fix or workaround at this time. Users should monitor the Red Hat security advisory page for updates and apply any patches or mitigations once available. Until then, restricting access to the LDAP KDB backend and limiting privileges of processes interacting with it may reduce risk.
CVE-2026-11850: Integer Underflow (Wrap or Wraparound) in Red Hat Red Hat Enterprise Linux 10
Description
An integer underflow vulnerability was found in MIT krb5 in the berval2tl_data() function in plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c. The function performs an unsigned subtraction (bv_len - 2) without a prior bounds check. When bv_len is 0 or 1, the subtraction wraps to a large value which is then truncated to uint16_t, yielding 0xFFFE (65534) or 0xFFFF (65535). The subsequent malloc succeeds and memcpy reads up to 65534 bytes from a 0-1 byte buffer, resulting in a heap out-of-bounds read. The attack vector involves a malicious or compromised LDAP KDB backend returning a krbExtraData attribute with bv_len < 2, triggering the underflow when the KDC or kadmind reads principal data.
CVSS v3.1
Score 5.0medium
Affected software
cpe:/o:redhat:enterprise_linux:10cpe:/o:redhat:enterprise_linux:6cpe:/o:redhat:enterprise_linux:7cpe:/o:redhat:enterprise_linux:8cpe:/o:redhat:enterprise_linux:9cpe:/a:redhat:hummingbird:1AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-11850 is an integer underflow vulnerability in the berval2tl_data() function of MIT krb5, specifically in the LDAP KDB backend code (plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c). The function subtracts 2 from an unsigned length (bv_len) without verifying that bv_len is at least 2. If bv_len is 0 or 1, the subtraction wraps around to a large unsigned value (0xFFFE or 0xFFFF), which is then truncated to uint16_t. This results in a large malloc allocation and a memcpy operation that reads far beyond the actual buffer size (0 or 1 byte), causing a heap out-of-bounds read. The vulnerability can be exploited when the KDC or kadmind reads principal data from a malicious or compromised LDAP KDB backend that returns a krbExtraData attribute with bv_len less than 2.
Potential Impact
The vulnerability allows a heap out-of-bounds read in the Kerberos KDC or kadmind processes when handling LDAP KDB backend data. According to the CVSS vector, the attack requires network access with high attack complexity and privileges (PR:H), no user interaction, and impacts availability (A:H) and confidentiality (C:L) but not integrity. This could lead to denial of service or limited information disclosure. There are no known exploits in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. The Red Hat advisory linked does not specify an official fix or workaround at this time. Users should monitor the Red Hat security advisory page for updates and apply any patches or mitigations once available. Until then, restricting access to the LDAP KDB backend and limiting privileges of processes interacting with it may reduce risk.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- redhat
- Date Reserved
- 2026-06-10T08:12:34.560Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
- Vendor Advisory Urls
- [{"url":"https://access.redhat.com/security/cve/CVE-2026-11850","vendor":"Red Hat"}]
Threat ID: 6a2a86879e049e7b7ef2854d
Added to database: 6/11/2026, 9:57:27 AM
Last enriched: 6/11/2026, 10:12:16 AM
Last updated: 6/11/2026, 11:54:27 AM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.