<Vulnerability name="CVE-2026-57914">
    <DocumentDistribution xml:lang="en">Copyright © 2012 Red Hat, Inc. All rights reserved.</DocumentDistribution>
    <ThreatSeverity>Moderate</ThreatSeverity>
    <PublicDate>2026-06-26T11:28:26</PublicDate>
    <Bugzilla id="2493399" url="https://bugzilla.redhat.com/show_bug.cgi?id=2493399" xml:lang="en:us">
apache-kerby: org.apache.kerby/kerby-asn1: Apache Kerby: Denial of Service via deeply nested ASN.1 structure
    </Bugzilla>
    <CVSS3 status="draft">
        <CVSS3BaseScore>6.5</CVSS3BaseScore>
        <CVSS3ScoringVector>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</CVSS3ScoringVector>
    </CVSS3>
    <CWE>CWE-776</CWE>
    <Details xml:lang="en:us" source="Mitre">
By sending a deeply nested ASN1 structure to a Apache Kerby client or service, it's possible to trigger a StackOverFlow Exception which can lead to denial of service issues. Users are recommended to upgrade to version 2.1.2, which fixes this issue.
    </Details>
    <Details xml:lang="en:us" source="Red Hat">
A flaw was found in Apache Kerby. A remote attacker could send a deeply nested Abstract Syntax Notation One (ASN.1) structure to an Apache Kerby client or service, triggering a stack overflow exception. This could lead to a denial of service (DoS) condition, making the service unavailable to legitimate users.
    </Details>
    <Statement xml:lang="en:us">
This Moderate flaw in Apache Kerby, as used in several Red Hat products, allows a remote attacker to trigger a denial of service. By sending a specially crafted, deeply nested ASN.1 structure to a vulnerable client or service, an attacker can cause a stack overflow, leading to service unavailability. This impact is considered Moderate due to the potential for disruption of critical services.
    </Statement>
    <Mitigation xml:lang="en:us">
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
    </Mitigation>
    <PackageState cpe="cpe:/a:redhat:amq_clients:2023">
        <ProductName>Red Hat AMQ Clients</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>kerby-asn1</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:build_keycloak:">
        <ProductName>Red Hat Build of Keycloak</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>kerby-asn1</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:build_keycloak:">
        <ProductName>Red Hat Build of Keycloak</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>rhbk/keycloak-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:build_keycloak:">
        <ProductName>Red Hat Build of Keycloak</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>rhbk-openshift-rhel9/rhbk-openshift-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:jboss_data_grid:8">
        <ProductName>Red Hat Data Grid 8</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>kerby-asn1</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:jboss_fuse:7">
        <ProductName>Red Hat Fuse 7</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>kerby-asn1</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:jbosseapxp">
        <ProductName>Red Hat JBoss Enterprise Application Platform Expansion Pack</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>kerby-asn1</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_ai">
        <ProductName>Red Hat OpenShift AI (RHOAI)</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>rhoai/odh-spark-operator-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_ai">
        <ProductName>Red Hat OpenShift AI (RHOAI)</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>rhoai/odh-th06-cpu-torch210-py312-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_ai">
        <ProductName>Red Hat OpenShift AI (RHOAI)</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>rhoai/odh-th06-cpu-torch291-py312-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_ai">
        <ProductName>Red Hat OpenShift AI (RHOAI)</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>rhoai/odh-th06-cuda130-torch210-py312-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_ai">
        <ProductName>Red Hat OpenShift AI (RHOAI)</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>rhoai/odh-th06-cuda130-torch291-py312-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_ai">
        <ProductName>Red Hat OpenShift AI (RHOAI)</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>rhoai/odh-th06-rocm64-torch291-py312-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:red_hat_single_sign_on:7">
        <ProductName>Red Hat Single Sign-On 7</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>kerby-asn1</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:amq_streams:2">
        <ProductName>streams for Apache Kafka 2</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>kerby-asn1</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:amq_streams:3">
        <ProductName>streams for Apache Kafka 3</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>kerby-asn1</PackageName>
    </PackageState>
    <References xml:lang="en:us">
https://www.cve.org/CVERecord?id=CVE-2026-57914
https://nvd.nist.gov/vuln/detail/CVE-2026-57914
https://lists.apache.org/thread/w98h2q8wz0bq97vhz4vf55hqomcb2j1m
    </References>
</Vulnerability>