{"id":"CVE-2017-11462","details":"Double free vulnerability in MIT Kerberos 5 (aka krb5) allows attackers to have unspecified impact via vectors involving automatic deletion of security contexts on error.","modified":"2026-03-15T22:23:40.461788Z","published":"2017-09-13T16:29:00.430Z","related":["MGASA-2017-0420","SUSE-SU-2017:2659-1","SUSE-SU-2018:0859-1","openSUSE-SU-2024:10899-1"],"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2FPRUP4YVOEBGEROUYWZFEQ64HTMGNED/"},{"type":"ADVISORY","url":"http://krbdev.mit.edu/rt/Ticket/Display.html?id=8598"},{"type":"FIX","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1488873"},{"type":"FIX","url":"https://github.com/krb5/krb5/commit/56f7b1bc95a2a3eeb420e069e7655fb181ade5cf"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/krb5/krb5","events":[{"introduced":"0"},{"last_affected":"48401c2c17364ebd90d3422d01a159ca16ea9548"},{"introduced":"0"},{"last_affected":"4b6ba67f51b8723f53bcf7a532fedfda66f4bdbb"},{"introduced":"0"},{"last_affected":"f5ab3b3b18b7373ddfbcc2c2bd9cbe2b333f0203"},{"introduced":"0"},{"last_affected":"102087ab0ce9f8661be09f905ca546c4d471bac5"},{"introduced":"0"},{"last_affected":"feb36cf045c4ecb5b3f0da04a86a85f2fdbf71a5"},{"introduced":"0"},{"last_affected":"68a03305111126a183dbd3779497ed9e00be6e0a"},{"introduced":"0"},{"last_affected":"3a3e096c07eefcb889f6c330f271a322e29c246a"},{"introduced":"0"},{"last_affected":"da9c3ecfae66d2d61c9f22f3d4d2a4d643cfd9c8"},{"introduced":"0"},{"last_affected":"747204921f955bf8239f86c7f5490ff5af426836"},{"introduced":"0"},{"last_affected":"3051931836c20208100b8f9d938145c6c5c702e8"},{"introduced":"0"},{"last_affected":"b9ad6c49505c96a088326b62a52568e3484f2168"},{"fixed":"56f7b1bc95a2a3eeb420e069e7655fb181ade5cf"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"1.14"},{"introduced":"0"},{"last_affected":"1.14-alpha1"},{"introduced":"0"},{"last_affected":"1.14-beta1"},{"introduced":"0"},{"last_affected":"1.14-beta2"},{"introduced":"0"},{"last_affected":"1.14.1"},{"introduced":"0"},{"last_affected":"1.14.2"},{"introduced":"0"},{"last_affected":"1.14.3"},{"introduced":"0"},{"last_affected":"1.14.4"},{"introduced":"0"},{"last_affected":"1.14.5"},{"introduced":"0"},{"last_affected":"1.15"},{"introduced":"0"},{"last_affected":"1.15.1"}]}}],"versions":["krb5-1.14-alpha1","krb5-1.14-beta1","krb5-1.14-beta2","krb5-1.14-final","krb5-1.15-beta1","krb5-1.15-beta2","krb5-1.15-final"],"database_specific":{"vanir_signatures":[{"id":"CVE-2017-11462-0e3035ea","source":"https://github.com/krb5/krb5/commit/56f7b1bc95a2a3eeb420e069e7655fb181ade5cf","signature_type":"Line","target":{"file":"src/lib/gssapi/mechglue/g_accept_sec_context.c"},"signature_version":"v1","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["113365589254028950831759866952732363792","299671428004758560547956332266712411796","313878630672118956822350231428516282651","36082119797606512123858535427160296497","303299836299360466855990804196747852178","47000552570716277391433332785385072543","205595035314639855734651874967137587782","140441883899889337675695721499628116338","281869919779813552905981642990614622852","92042041856409535265429861824467279112","199380787403468105087403273620949189718","328960532463704804191393082229285686545","150811375805580533231983848419464760157","203359321805143679509900186285736731284","110012356178553817267445820242741259944","121351120156354287520860639786144473119","251316567390949673089521965877914553051","174496037936978228976853946387492151059","32626311302713884848339666378553095372","176654164957123766617666835759518728885","121493791865016730768143069313996623992","299472622313771818115347343479176848430","58190323952740116784879083675053873659","327188296439971873280519859618219866658","22911219482791798654592476190640354476","79797039118292096799463391790643634942"]}},{"id":"CVE-2017-11462-0eeaaf86","source":"https://github.com/krb5/krb5/commit/56f7b1bc95a2a3eeb420e069e7655fb181ade5cf","signature_type":"Line","target":{"file":"src/lib/gssapi/mechglue/g_process_context.c"},"signature_version":"v1","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["45466575498610010453360452988168435402","207488688430417332689746618042757115253","189416343278799031321284810705459439935","267684482599810194893389216108612094912"]}},{"id":"CVE-2017-11462-1fe16c47","source":"https://github.com/krb5/krb5/commit/56f7b1bc95a2a3eeb420e069e7655fb181ade5cf","signature_type":"Line","target":{"file":"src/lib/gssapi/mechglue/g_unwrap_aead.c"},"signature_version":"v1","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["202820652179333292638476000022590568711","279172822676874531263183741786878542140","230151296749571886057666313469723665020","59623971633731781180089401266148358120"]}},{"id":"CVE-2017-11462-21098795","source":"https://github.com/krb5/krb5/commit/56f7b1bc95a2a3eeb420e069e7655fb181ade5cf","signature_type":"Line","target":{"file":"src/lib/gssapi/mechglue/g_sign.c"},"signature_version":"v1","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["57206329821583218948180368659574647635","279172822676874531263183741786878542140","277332688408059383616680465495033724463","239305714132346633435063657102490722420"]}},{"id":"CVE-2017-11462-21ff097f","source":"https://github.com/krb5/krb5/commit/56f7b1bc95a2a3eeb420e069e7655fb181ade5cf","signature_type":"Line","target":{"file":"src/lib/gssapi/mechglue/g_inq_context.c"},"signature_version":"v1","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["107154425109754889017540545923079768141","279172822676874531263183741786878542140","296568857958428654992302881692141051625","57238032411018043031580532358517682010"]}},{"id":"CVE-2017-11462-223b78dd","source":"https://github.com/krb5/krb5/commit/56f7b1bc95a2a3eeb420e069e7655fb181ade5cf","signature_type":"Line","target":{"file":"src/lib/gssapi/mechglue/g_unwrap_iov.c"},"signature_version":"v1","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["32424795816800363734201588202443306201","279172822676874531263183741786878542140","277332688408059383616680465495033724463","293622752440984088819908905342237280590","257308671250132641130536812462151080778","20876180485560077881330905693157411434","100603856213685072266433294144233069028","280581160103967509079800498953416458815"]}},{"id":"CVE-2017-11462-32d034e7","source":"https://github.com/krb5/krb5/commit/56f7b1bc95a2a3eeb420e069e7655fb181ade5cf","signature_type":"Function","target":{"function":"gss_verify_mic_iov","file":"src/lib/gssapi/mechglue/g_unwrap_iov.c"},"signature_version":"v1","deprecated":false,"digest":{"length":555,"function_hash":"193911584995775867856904687747004069079"}},{"id":"CVE-2017-11462-3741a055","source":"https://github.com/krb5/krb5/commit/56f7b1bc95a2a3eeb420e069e7655fb181ade5cf","signature_type":"Line","target":{"file":"src/lib/gssapi/mechglue/g_delete_sec_context.c"},"signature_version":"v1","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["155766846641148498726673556434837487348","156888712370778725906602482609327511511","278167979885573846517204868137472502026","628342129815268749205939584635807859","127571106498045647610224971524121961336","165804498134623836832068323928984299141","136557233799025390871553235128380905301","129261482536825009614551851907852061255","133020867531809431662580895209573038786"]}},{"id":"CVE-2017-11462-41bc8e59","source":"https://github.com/krb5/krb5/commit/56f7b1bc95a2a3eeb420e069e7655fb181ade5cf","signature_type":"Function","target":{"function":"gss_pseudo_random","file":"src/lib/gssapi/mechglue/g_prf.c"},"signature_version":"v1","deprecated":false,"digest":{"length":858,"function_hash":"84780669822825626659662441163036262328"}},{"id":"CVE-2017-11462-52a5f64d","source":"https://github.com/krb5/krb5/commit/56f7b1bc95a2a3eeb420e069e7655fb181ade5cf","signature_type":"Line","target":{"file":"src/lib/gssapi/mechglue/g_context_time.c"},"signature_version":"v1","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["65699658457000625733951509092065926468","4249221506307333738466651680668611217","245098841284075754220599421229456492068","65157373452218150056743915595096107955"]}},{"id":"CVE-2017-11462-54779797","source":"https://github.com/krb5/krb5/commit/56f7b1bc95a2a3eeb420e069e7655fb181ade5cf","signature_type":"Function","target":{"function":"gss_get_mic_iov_length","file":"src/lib/gssapi/mechglue/g_wrap_iov.c"},"signature_version":"v1","deprecated":false,"digest":{"length":557,"function_hash":"175755849309810436215143881804800774417"}},{"id":"CVE-2017-11462-58c0e3e3","source":"https://github.com/krb5/krb5/commit/56f7b1bc95a2a3eeb420e069e7655fb181ade5cf","signature_type":"Line","target":{"file":"src/lib/gssapi/mechglue/g_init_sec_context.c"},"signature_version":"v1","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["36931158403616128308512480933830901818","308990704743520702063298901411660468500","282737478335428559571832433030213582691","114236236451000054797425435516207980252","61391509398599092682080290821721512034","234952625221084801387740223251952078397","46414348307064053028254546423811415320","107726776061217080292467448337101899040","310585814034930159035254405789255652840","299130577769579551379689684481760797295","65892219977847310983726922407736164822"]}},{"id":"CVE-2017-11462-5d1e081d","source":"https://github.com/krb5/krb5/commit/56f7b1bc95a2a3eeb420e069e7655fb181ade5cf","signature_type":"Line","target":{"file":"src/lib/gssapi/mechglue/g_complete_auth_token.c"},"signature_version":"v1","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["193825300154024044939738143090155963019","281424264385750326561984961715402363442","315809417267996437014979880489893825253","127594108691989287492112756964015328320"]}},{"id":"CVE-2017-11462-5f6efc9b","source":"https://github.com/krb5/krb5/commit/56f7b1bc95a2a3eeb420e069e7655fb181ade5cf","signature_type":"Line","target":{"file":"src/lib/gssapi/mechglue/g_exp_sec_context.c"},"signature_version":"v1","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["235442461251688478774178144650890866073","1090177348794421947043607628426505420","200092999706315589986629953069910272996","153077527340404387496007954494290605801"]}},{"id":"CVE-2017-11462-647eb20b","source":"https://github.com/krb5/krb5/commit/56f7b1bc95a2a3eeb420e069e7655fb181ade5cf","signature_type":"Line","target":{"file":"src/lib/gssapi/mechglue/g_wrap_iov.c"},"signature_version":"v1","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["66944961868026136975076220035533772283","279172822676874531263183741786878542140","277332688408059383616680465495033724463","248209399207888684344640820787236461145","66944961868026136975076220035533772283","279172822676874531263183741786878542140","277332688408059383616680465495033724463","313371927353895911877906571486063651192","117468809547933847923356077904461459262","20876180485560077881330905693157411434","100603856213685072266433294144233069028","280581160103967509079800498953416458815","117468809547933847923356077904461459262","20876180485560077881330905693157411434","100603856213685072266433294144233069028","280581160103967509079800498953416458815"]}},{"id":"CVE-2017-11462-71ba27ff","source":"https://github.com/krb5/krb5/commit/56f7b1bc95a2a3eeb420e069e7655fb181ade5cf","signature_type":"Function","target":{"function":"gss_wrap_size_limit","file":"src/lib/gssapi/mechglue/g_seal.c"},"signature_version":"v1","deprecated":false,"digest":{"length":826,"function_hash":"224985312792235843938184834612419811584"}},{"id":"CVE-2017-11462-7a28da20","source":"https://github.com/krb5/krb5/commit/56f7b1bc95a2a3eeb420e069e7655fb181ade5cf","signature_type":"Line","target":{"file":"src/lib/gssapi/mechglue/g_seal.c"},"signature_version":"v1","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["283043283586919477336713932980812147952","279172822676874531263183741786878542140","277332688408059383616680465495033724463","166063505421183355160816498850755324580","166805157139985073204711769027975051892","111802985952538530637545933811441551156","99942816079795024149571942755414930924","59623971633731781180089401266148358120"]}},{"id":"CVE-2017-11462-7d1f6bf6","source":"https://github.com/krb5/krb5/commit/56f7b1bc95a2a3eeb420e069e7655fb181ade5cf","signature_type":"Function","target":{"function":"gss_inquire_context","file":"src/lib/gssapi/mechglue/g_inq_context.c"},"signature_version":"v1","deprecated":false,"digest":{"length":1285,"function_hash":"337112570530254127079759456597588706006"}},{"id":"CVE-2017-11462-86c76bee","source":"https://github.com/krb5/krb5/commit/56f7b1bc95a2a3eeb420e069e7655fb181ade5cf","signature_type":"Line","target":{"file":"src/lib/gssapi/mechglue/g_verify.c"},"signature_version":"v1","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["304679997914822602038643724030287245327","255210947317737890540820571081773665481","189416343278799031321284810705459439935","87990793854732838573234293773801599011"]}},{"id":"CVE-2017-11462-90a2abb8","source":"https://github.com/krb5/krb5/commit/56f7b1bc95a2a3eeb420e069e7655fb181ade5cf","signature_type":"Function","target":{"function":"gss_wrap","file":"src/lib/gssapi/mechglue/g_seal.c"},"signature_version":"v1","deprecated":false,"digest":{"length":815,"function_hash":"328401194485328766950541482793175813774"}},{"id":"CVE-2017-11462-aa0ab764","source":"https://github.com/krb5/krb5/commit/56f7b1bc95a2a3eeb420e069e7655fb181ade5cf","signature_type":"Function","target":{"function":"gss_complete_auth_token","file":"src/lib/gssapi/mechglue/g_complete_auth_token.c"},"signature_version":"v1","deprecated":false,"digest":{"length":477,"function_hash":"110736529873258593906621016967237020456"}},{"id":"CVE-2017-11462-c63b5945","source":"https://github.com/krb5/krb5/commit/56f7b1bc95a2a3eeb420e069e7655fb181ade5cf","signature_type":"Line","target":{"file":"src/lib/gssapi/mechglue/g_prf.c"},"signature_version":"v1","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["257279635259446308660028729535868625375","7302508278170680158129511721536338108","170115062276028931270362690826661190105","53970671521803570509930204622034643647"]}},{"id":"CVE-2017-11462-e2b261f8","source":"https://github.com/krb5/krb5/commit/56f7b1bc95a2a3eeb420e069e7655fb181ade5cf","signature_type":"Line","target":{"file":"src/lib/gssapi/mechglue/g_wrap_aead.c"},"signature_version":"v1","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["291472242011713900904678322408871903041","279172822676874531263183741786878542140","230151296749571886057666313469723665020","59623971633731781180089401266148358120"]}},{"id":"CVE-2017-11462-e7adb994","source":"https://github.com/krb5/krb5/commit/56f7b1bc95a2a3eeb420e069e7655fb181ade5cf","signature_type":"Function","target":{"function":"gss_get_mic_iov","file":"src/lib/gssapi/mechglue/g_wrap_iov.c"},"signature_version":"v1","deprecated":false,"digest":{"length":557,"function_hash":"175755849309810436215143881804800774417"}},{"id":"CVE-2017-11462-f52720c6","source":"https://github.com/krb5/krb5/commit/56f7b1bc95a2a3eeb420e069e7655fb181ade5cf","signature_type":"Line","target":{"file":"src/lib/gssapi/mechglue/g_unseal.c"},"signature_version":"v1","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["102519311333740825098893792659011157030","291361584154017503395381246580368737897","338872964670330084759523749595614395648","154481536822596690542760743600924337902"]}}],"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"1.15.1-beta1"}]},{"events":[{"introduced":"0"},{"last_affected":"1.15.1-beta2"}]},{"events":[{"introduced":"0"},{"last_affected":"25"}]},{"events":[{"introduced":"0"},{"last_affected":"26"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-11462.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}