Multiple vulnerabilities in Microsoft Windows Kerberos

Published: 2024-04-10

Risk	Medium
Patch available	YES
Number of vulnerabilities	2
CVE-ID	CVE-2024-26183 CVE-2024-26248
CWE-ID	CWE-476 CWE-303
Exploitation vector	Network
Public exploit	N/A
Vulnerable software Subscribe	Windows Operating systems & Components / Operating system Windows Server Operating systems & Components / Operating system
Vendor	Microsoft

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) NULL pointer dereference

EUVDB-ID: #VU88370

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-26183

CWE-ID: CWE-476 - NULL Pointer Dereference

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error in Windows Kerberos. A remote user can pass specially crafted data to the application and perform a denial of service (DoS) attack.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Windows: 10 - 11 23H2

Windows Server: 2008 - 2022 23H2

External links

http://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-26183

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Incorrect Implementation of Authentication Algorithm

EUVDB-ID: #VU88371