{"id":"CVE-2024-37371","details":"In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can cause invalid memory reads during GSS message token handling by sending message tokens with invalid length fields.","modified":"2026-04-16T04:35:17.082737969Z","published":"2024-06-28T23:15:11.603Z","related":["ALSA-2024:5312","ALSA-2024:6166","ALSA-2025:1671","ALSA-2025:1673","SUSE-SU-2024:2300-1","SUSE-SU-2024:2302-1","SUSE-SU-2024:2303-1","SUSE-SU-2024:2305-1","SUSE-SU-2024:2307-1","SUSE-SU-2024:2322-1","SUSE-SU-2025:20051-1","openSUSE-SU-2024:14111-1"],"references":[{"type":"ADVISORY","url":"https://web.mit.edu/kerberos/www/advisories/"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20241108-0009/"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20250124-0010/"},{"type":"FIX","url":"https://github.com/krb5/krb5/commit/55fbf435edbe2e92dd8101669b1ce7144bc96fef"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/krb5/krb5","events":[{"introduced":"0"},{"fixed":"8f56f544dd179056e9b8d02552e6c5e392eb2966"},{"fixed":"55fbf435edbe2e92dd8101669b1ce7144bc96fef"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.21.3"}]}}],"versions":["kfw-4.3-beta1","kfw-4.3-beta1-mit","krb5-1.21-beta1","krb5-1.21-final","krb5-1.21.1-final","krb5-1.21.2-final"],"database_specific":{"vanir_signatures_modified":"2026-04-12T07:38:42Z","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"11.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.0"}]}],"vanir_signatures":[{"signature_version":"v1","source":"https://github.com/krb5/krb5/commit/55fbf435edbe2e92dd8101669b1ce7144bc96fef","target":{"file":"src/tests/gssapi/t_invalid.c","function":"make_token"},"deprecated":false,"id":"CVE-2024-37371-1df7c73c","digest":{"length":454,"function_hash":"181288490691551539276030950384381900325"},"signature_type":"Function"},{"deprecated":false,"source":"https://github.com/krb5/krb5/commit/55fbf435edbe2e92dd8101669b1ce7144bc96fef","target":{"file":"src/lib/gssapi/krb5/k5sealv3.c"},"signature_version":"v1","id":"CVE-2024-37371-32c65a70","digest":{"threshold":0.9,"line_hashes":["249506129078718211803429264891256381134","288149586519997172688793957007570430812","240646770775722692739035560481597382058","303900088052997634529903035635480983292","338126685936456179893363646948398891700","54487801512522521148961176327611494675","108745466256977167880621123289301581934"]},"signature_type":"Line"},{"deprecated":false,"source":"https://github.com/krb5/krb5/commit/55fbf435edbe2e92dd8101669b1ce7144bc96fef","target":{"file":"src/lib/gssapi/krb5/k5sealv3.c","function":"gss_krb5int_unseal_token_v3"},"signature_version":"v1","id":"CVE-2024-37371-3f07a7bd","digest":{"length":4337,"function_hash":"98293196971926310410761654759985255839"},"signature_type":"Function"},{"signature_version":"v1","source":"https://github.com/krb5/krb5/commit/55fbf435edbe2e92dd8101669b1ce7144bc96fef","target":{"file":"src/lib/gssapi/krb5/k5unsealiov.c","function":"kg_unseal_iov_token"},"deprecated":false,"id":"CVE-2024-37371-41104b48","digest":{"length":1693,"function_hash":"303351386319676587296194179357777809979"},"signature_type":"Function"},{"source":"https://github.com/krb5/krb5/commit/55fbf435edbe2e92dd8101669b1ce7144bc96fef","signature_version":"v1","target":{"file":"src/tests/gssapi/t_invalid.c","function":"make_fake_context"},"deprecated":false,"id":"CVE-2024-37371-5c771456","digest":{"length":954,"function_hash":"140177844166912038852243412243705372883"},"signature_type":"Function"},{"signature_version":"v1","source":"https://github.com/krb5/krb5/commit/55fbf435edbe2e92dd8101669b1ce7144bc96fef","target":{"file":"src/lib/gssapi/krb5/k5sealv3iov.c"},"deprecated":false,"id":"CVE-2024-37371-7d836a9b","digest":{"threshold":0.9,"line_hashes":["230425656155783130342333519260053525979","229344041728628893963599055128908416781","253458744637640492840184618760152751593","27574026631851263555301678032649503933","163608176491538825945561015738662347868","247119585514961648511300436561989594849","278020424269055034555322742033740408648"]},"signature_type":"Line"},{"source":"https://github.com/krb5/krb5/commit/55fbf435edbe2e92dd8101669b1ce7144bc96fef","signature_version":"v1","target":{"file":"src/tests/gssapi/t_invalid.c","function":"make_fake_cfx_context"},"deprecated":false,"id":"CVE-2024-37371-ad93d025","digest":{"length":711,"function_hash":"220604563734506325727267498493098391188"},"signature_type":"Function"},{"signature_version":"v1","source":"https://github.com/krb5/krb5/commit/55fbf435edbe2e92dd8101669b1ce7144bc96fef","target":{"file":"src/tests/gssapi/t_invalid.c","function":"main"},"deprecated":false,"id":"CVE-2024-37371-ada3136f","digest":{"length":422,"function_hash":"289612554992914395914056291750669305271"},"signature_type":"Function"},{"signature_version":"v1","source":"https://github.com/krb5/krb5/commit/55fbf435edbe2e92dd8101669b1ce7144bc96fef","target":{"file":"src/lib/gssapi/krb5/k5sealv3iov.c","function":"gss_krb5int_unseal_v3_iov"},"deprecated":false,"id":"CVE-2024-37371-b8dd53d5","digest":{"length":3741,"function_hash":"195348772871666817748336395484823275086"},"signature_type":"Function"},{"signature_version":"v1","source":"https://github.com/krb5/krb5/commit/55fbf435edbe2e92dd8101669b1ce7144bc96fef","target":{"file":"src/tests/gssapi/t_invalid.c","function":"try_accept"},"deprecated":false,"id":"CVE-2024-37371-dff4f89b","digest":{"length":504,"function_hash":"138180890806099684658054031274090919201"},"signature_type":"Function"},{"signature_version":"v1","source":"https://github.com/krb5/krb5/commit/55fbf435edbe2e92dd8101669b1ce7144bc96fef","target":{"file":"src/lib/gssapi/krb5/k5unsealiov.c"},"deprecated":false,"id":"CVE-2024-37371-e203cdf1","digest":{"threshold":0.9,"line_hashes":["233632372815735821944452845218895474531","262355901222310656430491832498492947441","268895778251236432784648419410582503983","242461635590865998631206143405748904830","136801142089113954101277361283389620689","189321458024708033060279185243566343885","290457867488243979744144828237846139487","39653275422146381986640722615307140275","185110370425662329074055136086264140266","189654905727076676654792769577175054552","136186376754499126779963917652247664150","223645431530016318804164688796263486347","49992899863462079845897870321928455409","165526590684903766152291801862009571920","116800409787590243855009395891408830996","41793673749647707537679796596010563700","242286896785079614426167607149757882771","225704161944435927268696388495845123748","141669129805271476436645833121972852721","54944304351176642967641798106546604205","284634114269162632948060880050218330222","76660648972109655373638037035437315060","287018580442253345217872547137936767094","304142749247190506366625925409835191535"]},"signature_type":"Line"},{"signature_version":"v1","source":"https://github.com/krb5/krb5/commit/55fbf435edbe2e92dd8101669b1ce7144bc96fef","target":{"file":"src/tests/gssapi/t_invalid.c"},"deprecated":false,"id":"CVE-2024-37371-fd1182da","digest":{"threshold":0.9,"line_hashes":["46081912875478378167730162008287322351","149464097080068881471347518859610212764","35892351460835453544008038688602856515","54193177529587539228755428234936348740","164919141884014013814068777599774886015","120496654672254995287920120158482526705","126554600910143298594949515314786008045","333585463244526508338891052561915148049","256958163279390832948676018252331667586","262422870513302958039067222912526722592","61211325234348376708953122507925163417","299171055584048307906145994035865535193","336778840970254188031917970539975140587","166905904496776334174792100394807230944","111540463162605207689684621130918551539","207989100659469986248173380551508280264","97565035193547563755299054306486660559","69705857514109298907482687201353136595","250515738642808039124425234233033315531","25261943639470381576433545951373342846","155968463102505524668649792799427011221","226717774503492914134307443293630104298","119746595982831932772533352709249224472","196023733304730656852142114701616683193","333585463244526508338891052561915148049","256958163279390832948676018252331667586","262422870513302958039067222912526722592","61211325234348376708953122507925163417","336309751092384052925872768691007552095","15965313950902173205363818520986908205","230696040828335200846382527277056168876","320698243185774739555952786486669431219","155968463102505524668649792799427011221","226717774503492914134307443293630104298","119746595982831932772533352709249224472","196023733304730656852142114701616683193","42243522612720981631743587746788479498","307693904798826635995673740120516367504","238104374601084847629065065964754142982","297261495332378516068495605326068638926","33800677824973969342210146568669583464","293733998953732843216992635301307589459","65091210993800138874533158244793717783","245127060547121105878227485765971721395","23787540765483663146986435862528184311","231102783850306336970285948930938627737","307723069298870506556379174009256423268","282595538099047009400025529636777782070","296206049940099696660706586968381551308","174176388500282705820751983962690765736","260808767835095792348025919998486224897","172593446264879008148516919958583180417","254639008005813116174205609668589472439","34645225354467353828647583503494433","322226675994480185991064709950238932153","299134670706231447773652766012690091836","53168281897773373193406564668365842996","103977377026834181519666834105319338038","238721725913302095997120732506934052516","165575549363718143018069936434504485186","23647356369235017987347520688540098274","220262945418189216628434421934641596489"]},"signature_type":"Line"}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-37371.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H"}]}