Cyber Resilience

CVE-2025-24528

High

Published: 16 January 2026

Published
16 January 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:H
EPSS Score 0.0021 43.0th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-24528 is a high-severity Integer Overflow or Wraparound (CWE-190) vulnerability. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 43.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-7 (Least Functionality).

Deeper analysis

CVE-2025-24528 is an integer overflow vulnerability (CWE-190) in MIT Kerberos 5 (krb5) versions before 1.22 when incremental propagation is enabled. The flaw resides in the resize() function within kdb_log.c, where a large update size triggers the overflow, enabling an out-of-bounds write that crashes the kadmind daemon.

An attacker with low privileges (PR:L) who has network access (AV:N) can exploit this remotely, though it requires high attack complexity (AC:H) and no user interaction (UI:N). Successful exploitation leads to a kadmind daemon crash, with a CVSS v3.1 base score of 7.1 (AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:H), resulting in low integrity impact, high availability disruption, and changed scope.

Mitigation requires upgrading to krb5 1.22 or later, as detailed in the fixing commit (78ceba024b64d49612375be4a12d1c066b0bfbd0) and the release comparison between krb5-1.21.3-final and krb5-1.22-final on the krb5 GitHub repository. Debian LTS has issued an announcement with corresponding patches.

EU & UK References

Vulnerability details

In MIT Kerberos 5 (aka krb5) before 1.22 (with incremental propagation), there is an integer overflow for a large update size to resize() in kdb_log.c. An authenticated attacker can cause an out-of-bounds write and kadmind daemon crash.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Integer overflow triggers out-of-bounds write and kadmind crash, directly enabling application exploitation for endpoint DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-33040Shared CWE-190
CVE-2026-6773Shared CWE-190
CVE-2026-27951Shared CWE-190
CVE-2025-29072Shared CWE-190
CVE-2026-35092Shared CWE-190
CVE-2026-28952Shared CWE-190
CVE-2026-33666Shared CWE-190
CVE-2026-31814Shared CWE-190
CVE-2026-40385Shared CWE-190
CVE-2025-46597Shared CWE-190

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires applying the vendor patch that eliminates the integer overflow in resize() of kdb_log.c.

prevent

Memory-protection mechanisms can block or contain the out-of-bounds write that results from the overflow.

prevent

Disabling incremental propagation removes the vulnerable code path until the fix is applied.

References