CVE-2025-59089
MediumCVSS 5.9Exploitation Probability (EPSS)
Low risk36th percentile - higher than 36% of all known CVEs
Summary
A vulnerability in kdcproxy allows an attacker to perform a DoS attack by sending unbounded data in a KDC response, causing excessive memory and CPU usage. The lack of TCP response length validation and inefficient buffer management can overwhelm the server even with a single request.
Risk Assessment
An attacker can exploit this vulnerability to exhaust server resources (memory and CPU), preventing legitimate client requests from being processed. Multiple concurrent requests can cause accept queue overflow, completely blocking service access.
Recommendation
Immediately update kdcproxy to a version that implements TCP response length limits and optimizes buffer management. Until the update is applied, restrict trusted KDC servers and implement network traffic filtering.
Original NVD description (English source)
If an attacker causes kdcproxy to connect to an attacker-controlled KDC server (e.g. through server-side request forgery), they can exploit the fact that kdcproxy does not enforce bounds on TCP response length to conduct a denial-of-service attack. While receiving the KDC's response, kdcproxy copies the entire buffered stream into a new buffer on each recv() call, even when the transfer is incomplete, causing excessive memory allocation and CPU usage. Additionally, kdcproxy accepts incoming response chunks as long as the received data length is not exactly equal to the length indicated in the response header, even when individual chunks or the total buffer exceed the maximum length of a Kerberos message. This allows an attacker to send unbounded data until the connection timeout is reached (approximately 12 seconds), exhausting server memory or CPU resources. Multiple concurrent requests can cause accept queue overflow, denying service to legitimate clients.

