{"id":"CVE-2021-36222","details":"ec_verify in kdc/kdc_preauth_ec.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.18.4 and 1.19.x before 1.19.2 allows remote attackers to cause a NULL pointer dereference and daemon crash. This occurs because a return value is not properly managed in a certain situation.","modified":"2026-05-18T20:15:50.271166Z","published":"2021-07-22T18:15:23.337Z","related":["SUSE-FU-2022:1419-1","SUSE-SU-2021:2800-1","SUSE-SU-2022:0283-1","SUSE-SU-2022:0751-1","SUSE-SU-2022:1396-1","SUSE-SU-2022:2134-1","SUSE-SU-2022:3676-1","SUSE-SU-2022:4428-1","SUSE-SU-2022:4437-1","SUSE-SU-2022:4439-1","SUSE-SU-2024:0191-1","SUSE-SU-2024:0196-1","openSUSE-SU-2021:1182-1","openSUSE-SU-2021:2800-1","openSUSE-SU-2022:0283-1","openSUSE-SU-2024:10899-1","openSUSE-SU-2024:11816-1"],"database_specific":{"unresolved_ranges":[{"source":"CPE_FIELD","extracted_events":[{"last_affected":"10.0"}],"vendor_product":"debian:debian_linux","cpes":["cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*"]},{"source":"CPE_FIELD","extracted_events":[{"fixed":"1.18.4"}],"vendor_product":"mit:kerberos_5","cpes":["cpe:2.3:a:mit:kerberos_5:*:*:*:*:*:*:*:*"]}]},"references":[{"type":"ADVISORY","url":"https://github.com/krb5/krb5/releases"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20211022-0003/"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20211104-0007/"},{"type":"ADVISORY","url":"https://web.mit.edu/kerberos/advisories/"},{"type":"ADVISORY","url":"https://www.debian.org/security/2021/dsa-4944"},{"type":"FIX","url":"https://github.com/krb5/krb5/commit/fc98f520caefff2e5ee9a0026fdf5109944b3562"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/krb5/krb5","events":[{"introduced":"0"},{"fixed":"05405c3d24c2d84ba79e355ae82f4b1b9884938c"},{"fixed":"eb0a1e051c9133da28613563c4b530bf8d875624"},{"fixed":"fc98f520caefff2e5ee9a0026fdf5109944b3562"}],"database_specific":{"source":["CPE_FIELD","REFERENCES"],"extracted_events":[{"introduced":"0"},{"fixed":"1.18.4"},{"introduced":"1.19.0"},{"fixed":"1.19.2"}],"cpe":"cpe:2.3:a:mit:kerberos_5:*:*:*:*:*:*:*:*"}}],"versions":["krb5-1.19.1-final","krb5-1.19-final","krb5-1.19-beta2","krb5-1.19-beta1","krb5-1.18.3-final","krb5-1.18.2-final","krb5-1.18.1-final","krb5-1.18-final","krb5-1.18-beta2","krb5-1.18-beta1"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-36222.json","vanir_signatures":[{"deprecated":false,"target":{"file":"src/kdc/kdc_preauth_ec.c"},"signature_type":"Line","id":"CVE-2021-36222-4eafeb47","digest":{"threshold":0.9,"line_hashes":["11212649172673180521140604104188591304","228806048721091709572489333951828356198","321289942291638231764076182789317623244","93469301882783218346945084207915710111"]},"source":"https://github.com/krb5/krb5/commit/fc98f520caefff2e5ee9a0026fdf5109944b3562","signature_version":"v1"},{"deprecated":false,"target":{"file":"src/kdc/kdc_preauth_ec.c","function":"ec_verify"},"signature_type":"Function","id":"CVE-2021-36222-f3fc596a","digest":{"length":2350,"function_hash":"137210320503581614737329061627982532169"},"source":"https://github.com/krb5/krb5/commit/fc98f520caefff2e5ee9a0026fdf5109944b3562","signature_version":"v1"}],"vanir_signatures_modified":"2026-05-18T20:15:50Z"}},{"ranges":[{"type":"GIT","repo":"https://github.com/mysql/mysql-server","events":[{"introduced":"270fd3411e3d671a73ed9725940a30080f59ce6d"},{"last_affected":"beb865a960b9a8a16cf999c323e46c5b0c67f21f"}],"database_specific":{"source":"CPE_FIELD","extracted_events":[{"introduced":"8.0.0"},{"last_affected":"8.0.26"}],"cpe":"cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:*"}}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-36222.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}