CVE-2026-40355
Published: 28 April 2026
Summary
CVE-2026-40355 is a medium-severity NULL Pointer Dereference (CWE-476) vulnerability in Cems (inferred from references). Its CVSS base score is 5.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 28.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-25981
Vulnerability details
In MIT Kerberos 5 (aka krb5) before 1.22.3, there is a NULL pointer dereference if an application calls gss_accept_sec_context() on a system with a NegoEx mechanism registered in /etc/gss/mech. An unauthenticated remote attacker can trigger this, causing the process to…
more
terminate in parse_nego_message.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
NULL pointer dereference in gss_accept_sec_context allows unauthenticated remote DoS by crashing the accepting process, directly matching application/system exploitation for endpoint denial of service.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.