CVE Vulnerabilities

CVE-2024-26458

Missing Release of Memory after Effective Lifetime

Published: Feb 29, 2024 | Modified: May 23, 2025
CVSS 3.x
N/A
Source:
NVD
CVSS 2.x
RedHat/V2
RedHat/V3
5.9 LOW
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Ubuntu
NEGLIGIBLE

Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c.

Weakness

The product does not sufficiently track and release allocated memory after it has been used, which slowly consumes remaining memory.

Affected Software

Name Vendor Start Version End Version
Kerberos_5 Mit 1.21.2 (including) 1.21.2 (including)
Red Hat Enterprise Linux 8 RedHat krb5-0:1.18.2-27.el8_10 *
Red Hat Enterprise Linux 9 RedHat krb5-0:1.21.1-3.el9 *
Red Hat Enterprise Linux 9 RedHat krb5-0:1.21.1-3.el9 *
Krb5 Ubuntu bionic *
Krb5 Ubuntu devel *
Krb5 Ubuntu esm-infra-legacy/trusty *
Krb5 Ubuntu esm-infra/bionic *
Krb5 Ubuntu esm-infra/xenial *
Krb5 Ubuntu focal *
Krb5 Ubuntu jammy *
Krb5 Ubuntu mantic *
Krb5 Ubuntu noble *
Krb5 Ubuntu oracular *
Krb5 Ubuntu plucky *
Krb5 Ubuntu trusty *
Krb5 Ubuntu trusty/esm *
Krb5 Ubuntu xenial *

Potential Mitigations

  • Choose a language or tool that provides automatic memory management, or makes manual memory management less error-prone.
  • For example, glibc in Linux provides protection against free of invalid pointers.
  • When using Xcode to target OS X or iOS, enable automatic reference counting (ARC) [REF-391].
  • To help correctly and consistently manage memory when programming in C++, consider using a smart pointer class such as std::auto_ptr (defined by ISO/IEC ISO/IEC 14882:2003), std::shared_ptr and std::unique_ptr (specified by an upcoming revision of the C++ standard, informally referred to as C++ 1x), or equivalent solutions such as Boost.

References