In MIT krb5 releases 1.16 and later, an unauthenticated attacker can cause a null dereference in the KDC by sending a request containing a PA-ENCRYPTED-CHALLENGE padata element without using FAST.
Fixed in fedora: https://firstname.lastname@example.org/thread/CCCYLGJLCVVNJVOQKUGKXR2SNQIPFBFS/
On ec_verify() function, when armor key is NULL it should return ENOENT, however due to a logic error the return value is overwritten by 0 in case k5memdup0() call is executed successfully before the check for armor key is executed. This leads to a NULL pointer dereference when further handling the armor key.
An attacker may leverage this by sending crafted requests to KDC server, leading it to crash and causing a DoS.
Created krb5 tracking bugs for this issue:
Affects: fedora-all [bug 1992011]
This issue has been addressed in the following products:
Red Hat Enterprise Linux 8
Via RHSA-2021:3576 https://access.redhat.com/errata/RHSA-2021:3576
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):