Cyber Resilience

CVE-2022-42898

HighPublic PoC

Published: 25 December 2022

Published
25 December 2022
Modified
14 April 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.1083 93.5th percentile
Risk Priority 24 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-42898 is a high-severity Integer Overflow or Wraparound (CWE-190) vulnerability in Mit Kerberos 5. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 6.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2022-42898 is an integer overflow vulnerability in PAC parsing code within MIT Kerberos 5 (krb5) versions prior to 1.19.4 and 1.20.x prior to 1.20.1, specifically in the krb5_pac_parse function in lib/krb5/krb/pac.c. The flaw can produce a heap-based buffer overflow on 32-bit platforms that leads to remote code execution, while triggering denial of service on other platforms. A similar issue exists in Heimdal releases before 7.7.1. The vulnerability carries a CVSS 3.1 base score of 8.8 and is classified under CWE-190.

An authenticated attacker who can supply a crafted PAC structure to an affected KDC, kadmind process, or any GSS or Kerberos application server may trigger the overflow. Successful exploitation on 32-bit systems can result in arbitrary code execution with the privileges of the target service, while other platforms are limited to denial-of-service conditions.

Upstream fixes are documented in the krb5 commit ea92d2f0fcceb54a70910fa32e9a0d7a5afc3583 and the corresponding Heimdal security advisory GHSA-64mq-fvfj-5x3c. Multiple distributions have published coordinated advisories, including Gentoo GLSA-202309-06 and GLSA-202310-06, that direct administrators to apply the patched krb5 or Heimdal packages. The EPSS score has remained flat at 0.1083 with no material increase since disclosure.

EU & UK References

Vulnerability details

PAC parsing in MIT Kerberos 5 (aka krb5) before 1.19.4 and 1.20.x before 1.20.1 has integer overflows that may lead to remote code execution (in KDC, kadmind, or a GSS or Kerberos application server) on 32-bit platforms (which have a…

more

resultant heap-based buffer overflow), and cause a denial of service on other platforms. This occurs in krb5_pac_parse in lib/krb5/krb/pac.c. Heimdal before 7.7.1 has "a similar bug."

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

mit
kerberos 5
1.20 · 1.8 — 1.19.4
heimdal project
heimdal
≤ 7.7.1
samba
samba
≤ 4.15.12 · 4.16.0 — 4.16.7 · 4.17.0 — 4.17.3

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References