CVE-2026-40356
Published: 28 April 2026
Summary
CVE-2026-40356 is a medium-severity Wrap or Wraparound (CWE-191) vulnerability in Cems (inferred from references). Its CVSS base score is 5.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-25993
Vulnerability details
In MIT Kerberos 5 (aka krb5) before 1.22.3, there is an integer underflow and resultant out-of-bounds read if an application calls gss_accept_sec_context() on a system with a NegoEx mechanism registered in /etc/gss/mech. An unauthenticated remote attacker can trigger this, possibly…
more
causing the process to terminate in parse_message.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated integer underflow in gss_accept_sec_context enables direct exploitation of public-facing Kerberos/GSS services, resulting in process crash (application exploitation for DoS).
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.