cve-2026-40356

CVE-2026-40356 is a denial-of-service vulnerability in MIT Kerberos 5 before version 1.22.3, disclosed in April 2026. It affects applications that call gss_accept_sec_context() on systems where a NegoEx mechanism is registered in /etc/gss/mech. An unauthenticated attacker with network reachability can crash GSS accept services by sending a specially crafted NegoEx message. While Windows Kerberos itself is not directly affected, this vulnerability is significant for WindowsForum readers because modern identity infrastructure often relies on cross-platform authentication plumbing. The bug sits in foundational authentication components that many organizations are hesitant to update, making it a practical concern for enterprise environments using mixed Kerberos implementations.