CVE-2025-24528 - Crashing MIT Kerberos 5 kadmind with an Integer Overflow Bug

TL;DR:
A critical vulnerability (CVE-2025-24528) has been found in MIT Kerberos 5, affecting versions before 1.22 that use incremental propagation. This bug allows an authenticated attacker to crash the kadmind daemon, and possibly do worse, by exploiting an integer overflow, leading to an out-of-bounds write in the kdb_log.c source file.

What is MIT Kerberos 5?

MIT Kerberos 5 (official site) is a widely deployed network authentication protocol. It’s used by universities, corporations, and government agencies to handle secure authentication between clients and services.

Many Kerberos deployments use "incremental propagation," a method to replicate changes between Kerberos database servers more efficiently.

The Bug in a Nutshell

MIT Kerberos 5 (krb5) before version 1.22, when incremental propagation is enabled, is vulnerable to an integer overflow bug in the resize() function in its kdb_log.c file. This bug can be triggered by crafting a very large update size. Once triggered, it causes the program to write data out-of-bounds, which can crash the kadmind daemon (the admin interface for Kerberos). The attacker must be authenticated, but from there, it's pretty bad.

Who cares?

If you run a Kerberos server handling admin requests (like password changes, principal creation, etc.), and you run version <1.22 with incremental propagation, you are at risk. A user—or a compromised client—could mess with your server’s memory and kill your admin daemon.

Technical Deep Dive

The heart of the issue is in kdb_log.c, where resize() handles log file updates. There’s no proper check for an integer overflow when calculating how much memory to allocate. Here’s a simplified snippet showing the dangerous logic:

static int resize(log_context *log_ctx, uint64_t update_size) {
    size_t new_size = log_ctx->size + update_size + MARGIN;

    // Problem: If update_size is huge, this overflows!
    void *tmp = realloc(log_ctx->log, new_size);
    if (!tmp) return -1;
    log_ctx->log = tmp;
    log_ctx->size = new_size;
    return ;
}

When update_size is large enough, log_ctx->size + update_size + MARGIN wraps around to a too-small value, but then the system tries to write past the allocated region. That's an out-of-bounds write.

How Does an Attacker Exploit This?

1. Get Authenticated Access: The attacker must be able to communicate with kadmind (Kerberos admin daemon) and authenticate themselves.
2. Send Massive Incremental Update Request: The attacker crafts an incremental update with a huge update_size field.
3. Trigger resize() and Crash: When the server tries to process this request, the integer overflows, causing either a crash (segfault) or potentially letting the attacker corrupt memory, which can lead to remote code execution (though, for now, only crashing has been shown).

A Sketch of the Exploit (Pseudo-steps, Not Live Code)

# Pseudo-code: the attacker connects and sends
big_update = create_incr_update(update_size=xFFFFFFFFFFFFFFF)  # Massive size
send_to_kadmind(big_update)  # Through authenticated session

Result: Server tries to allocate memory, overflows, and writes data out-of-bounds → crash.

Proof-of-Concept Exploit (C Code Example)

WARNING: Do not use this on a production server.

Here’s a simplified C code fragment to help understand how the exploit might work

// Not a full exploit, just an illustration. 
int main() {
    int fd = connect_to_kadmind();
    authenticate(fd, "my_username", "my_password");
    struct incr_update huge_update;
    memset(&huge_update, , sizeof(huge_update));
    huge_update.update_size = xFFFFFFFFFFFFFFFULL; // Dangerous value
    write(fd, &huge_update, sizeof(huge_update));
    // Result: kadmind receives the request, tries to handle it, and crashes
    close(fd);
    return ;
}

MIT Kerberos 5 before 1.22 using incremental propagation.

- Anyone who allows authenticated access to their kadmind service, especially in environments where regular users or automation scripts can talk to it.

How to Confirm You’re Vulnerable

- If krb5kdc --version or kadmind --version returns a version less than 1.22 and your kdc.conf enables iprop_enable = true, you are vulnerable.

Upgrade to krb5 1.22 or newer.

- MIT Kerberos 5 project download page
- Patch sources: Upstream commit (example)

Alternatively, you can try to locally patch with a check in kdb_log.c

if (update_size > MAX_UPDATE_SIZE) {
    // reject the request
    return ERROR;
}

References

- CVE-2025-24528 at NVD (National Vulnerability Database) (link will be live once public)
- MIT krb5 NEWS (Release Notes)
- Upstream commit fixing the bug

Final Thoughts

This is a classic integer overflow with real-world impact—kadmind deals with trusted operations, and any crash here is a serious risk to security and availability. At worst, with more research, further exploitation (beyond a crash) could be possible.

Stay secure, and keep your software updated.

*Written exclusively for this request. Reposting or scraping not permitted without attribution.*

Timeline

Published on: 01/16/2026 00:00:00 UTC
Last modified on: 01/26/2026 15:05:57 UTC