{"id":"CVE-2021-37750","details":"The Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.18.5 and 1.19.x before 1.19.3 has a NULL pointer dereference in kdc/do_tgs_req.c via a FAST inner body that lacks a server field.","modified":"2026-04-11T16:26:25.312663Z","published":"2021-08-23T05:15:08.063Z","related":["SUSE-SU-2021:3454-1","SUSE-SU-2021:3454-2","SUSE-SU-2022:4154-1","SUSE-SU-2024:1702-1","openSUSE-SU-2021:1411-1","openSUSE-SU-2021:3454-1","openSUSE-SU-2024:10899-1"],"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MFCLW7D46E4VCREKKH453T5DA4XOLHU2/"},{"type":"ADVISORY","url":"https://www.starwindsoftware.com/security/sw-20220817-0004/"},{"type":"ADVISORY","url":"https://github.com/krb5/krb5/releases"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2021/09/msg00019.html"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20210923-0002/"},{"type":"ADVISORY","url":"https://web.mit.edu/kerberos/advisories/"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpujul2022.html"},{"type":"FIX","url":"https://github.com/krb5/krb5/commit/d775c95af7606a51bf79547a94fa52ddd1cb7f49"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/krb5/krb5","events":[{"introduced":"0"},{"fixed":"78e00c57d8aea567ab435fe802b730029fded242"},{"introduced":"0"},{"fixed":"f886ccde056f3e8ad4c1fb35cb9f4a7d7f1c1d5c"},{"fixed":"d775c95af7606a51bf79547a94fa52ddd1cb7f49"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.18.5"},{"introduced":"1.19.0"},{"fixed":"1.19.3"}]}}],"versions":["krb5-1.18-beta1","krb5-1.18-beta2","krb5-1.18-final","krb5-1.18.1-final","krb5-1.18.2-final","krb5-1.18.3-final","krb5-1.18.4-final","krb5-1.19-beta1","krb5-1.19-beta2","krb5-1.19-final","krb5-1.19.1-final","krb5-1.19.2-final"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-37750.json","vanir_signatures":[{"id":"CVE-2021-37750-6610d9b5","digest":{"length":14255,"function_hash":"256313135997629940279080382534511192649"},"signature_version":"v1","target":{"file":"src/kdc/do_tgs_req.c","function":"process_tgs_req"},"source":"https://github.com/krb5/krb5/commit/d775c95af7606a51bf79547a94fa52ddd1cb7f49","deprecated":false,"signature_type":"Function"},{"id":"CVE-2021-37750-d4305430","digest":{"line_hashes":["85759854495363053129708329220649920226","106951285823959472315379620424094599901","35353251504946687087079113116870528593","137141899296435357137104491440352983080"],"threshold":0.9},"signature_version":"v1","target":{"file":"src/kdc/do_tgs_req.c"},"source":"https://github.com/krb5/krb5/commit/d775c95af7606a51bf79547a94fa52ddd1cb7f49","deprecated":false,"signature_type":"Line"}],"vanir_signatures_modified":"2026-04-11T16:26:25Z","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"33"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0"}]},{"events":[{"introduced":"0"},{"last_affected":"v8r13-14338"}]},{"events":[{"introduced":"0"},{"last_affected":"22.1.0"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}]}