Two denial of service vulnerabilities have been identified in MIT Kerberos 5 (krb5) as used in Red Hat Enterprise Linux 9. CVE-2026-40356 is caused by an integer underflow leading to an out-of-bounds read, and CVE-2026-40355 is caused by a NULL pointer dereference in the NegoEx mechanism. Both vulnerabilities can cause the krb5 service to crash or become unavailable. Red Hat has rated the security impact as Important and has released updated krb5 packages to remediate these issues. The advisory references Red Hat Security Advisory RHSA-2026:19357 and provides links for applying the updates. No CVSS base score is provided in the advisory or CVE references. No known exploitation in the wild has been reported.

Successful exploitation of these vulnerabilities results in denial of service conditions affecting the krb5 service on Red Hat Enterprise Linux 9 systems. This could disrupt network authentication services relying on Kerberos, potentially impacting availability. There is no indication of privilege escalation, data disclosure, or remote code execution. No known exploits are currently reported in the wild.

Red Hat has released updated krb5 packages that address these vulnerabilities. Users of affected Red Hat Enterprise Linux 9 versions should apply the security update as described in Red Hat Advisory RHSA-2026:19357 and the linked update instructions (https://access.redhat.com/articles/11258). Applying these official patches is the recommended remediation. No additional mitigations or workarounds are specified in the advisory.