{"document":{"aggregate_severity":{"namespace":"https://www.suse.com/support/security/rating/","text":"moderate"},"category":"csaf_vex","csaf_version":"2.0","distribution":{"text":"Copyright 2024 SUSE LLC. All rights reserved.","tlp":{"label":"WHITE","url":"https://www.first.org/tlp/"}},"lang":"en","notes":[{"category":"summary","text":"SUSE CVE-2025-59089","title":"Title"},{"category":"description","text":"If an attacker causes kdcproxy to connect to an attacker-controlled KDC server (e.g. through server-side request forgery), they can exploit the fact that kdcproxy does not enforce bounds on TCP response length to conduct a denial-of-service attack. While receiving the KDC's response, kdcproxy copies the entire buffered stream into a new\nbuffer on each recv() call, even when the transfer is incomplete, causing excessive memory allocation and CPU usage. Additionally, kdcproxy accepts incoming response chunks as long as the received data length is not exactly equal to the length indicated in the response\nheader, even when individual chunks or the total buffer exceed the maximum length of a Kerberos message. This allows an attacker to send unbounded data until the connection timeout is reached (approximately 12 seconds), exhausting server memory or CPU resources. Multiple concurrent requests can cause accept queue overflow, denying service to legitimate clients.","title":"Description of the CVE"},{"category":"legal_disclaimer","text":"CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).","title":"Terms of use"}],"publisher":{"category":"vendor","contact_details":"https://www.suse.com/support/security/contact/","name":"SUSE Product Security Team","namespace":"https://www.suse.com/"},"references":[{"category":"external","summary":"CVE-2025-59089","url":"https://www.suse.com/security/cve/CVE-2025-59089"},{"category":"external","summary":"SUSE Security Ratings","url":"https://www.suse.com/support/security/rating/"},{"category":"external","summary":"Advisory link for RHSA-2025:21138","url":"https://lists.suse.com/pipermail/suse-liberty-linux-updates/2025-November/002259.html"}],"title":"SUSE CVE CVE-2025-59089","tracking":{"current_release_date":"2025-11-27T00:23:30Z","generator":{"date":"2025-11-26T00:24:13Z","engine":{"name":"cve-database.git:bin/generate-csaf-vex.pl","version":"1"}},"id":"CVE-2025-59089","initial_release_date":"2025-11-26T00:24:13Z","revision_history":[{"date":"2025-11-26T00:24:13Z","number":"2","summary":"Current version"},{"date":"2025-11-27T00:23:30Z","number":"3","summary":"Current version"}],"status":"interim","version":"3"}},"product_tree":{"branches":[{"branches":[{"branches":[{"category":"product_name","name":"SUSE Liberty Linux 9","product":{"name":"SUSE Liberty Linux 9","product_id":"SUSE Liberty Linux 9","product_identification_helper":{"cpe":"cpe:/o:suse:sll:9"}}},{"category":"product_version","name":"python3-kdcproxy-1.0.0-9.el9_6","product":{"name":"python3-kdcproxy-1.0.0-9.el9_6","product_id":"python3-kdcproxy-1.0.0-9.el9_6","product_identification_helper":{"purl":"pkg:rpm/suse/python3-kdcproxy@1.0.0-9.el9_6"}}}],"category":"product_family","name":"SUSE Linux Enterprise"}],"category":"vendor","name":"SUSE"}],"relationships":[{"category":"default_component_of","full_product_name":{"name":"python3-kdcproxy-1.0.0-9.el9_6 as component of SUSE Liberty Linux 9","product_id":"SUSE Liberty Linux 9:python3-kdcproxy-1.0.0-9.el9_6"},"product_reference":"python3-kdcproxy-1.0.0-9.el9_6","relates_to_product_reference":"SUSE Liberty Linux 9"}]},"vulnerabilities":[{"cve":"CVE-2025-59089","ids":[{"system_name":"SUSE CVE Page","text":"https://www.suse.com/security/cve/CVE-2025-59089"}],"notes":[{"category":"general","text":"If an attacker causes kdcproxy to connect to an attacker-controlled KDC server (e.g. through server-side request forgery), they can exploit the fact that kdcproxy does not enforce bounds on TCP response length to conduct a denial-of-service attack. While receiving the KDC's response, kdcproxy copies the entire buffered stream into a new\nbuffer on each recv() call, even when the transfer is incomplete, causing excessive memory allocation and CPU usage. Additionally, kdcproxy accepts incoming response chunks as long as the received data length is not exactly equal to the length indicated in the response\nheader, even when individual chunks or the total buffer exceed the maximum length of a Kerberos message. This allows an attacker to send unbounded data until the connection timeout is reached (approximately 12 seconds), exhausting server memory or CPU resources. Multiple concurrent requests can cause accept queue overflow, denying service to legitimate clients.","title":"CVE description"}],"product_status":{"recommended":["SUSE Liberty Linux 9:python3-kdcproxy-1.0.0-9.el9_6"]},"references":[{"category":"external","summary":"CVE-2025-59089","url":"https://www.suse.com/security/cve/CVE-2025-59089"},{"category":"external","summary":"SUSE Security Ratings","url":"https://www.suse.com/support/security/rating/"},{"category":"external","summary":"Advisory link for RHSA-2025:21138","url":"https://lists.suse.com/pipermail/suse-liberty-linux-updates/2025-November/002259.html"}],"remediations":[{"category":"vendor_fix","details":"To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n","product_ids":["SUSE Liberty Linux 9:python3-kdcproxy-1.0.0-9.el9_6"]}],"threats":[{"category":"impact","date":"2025-11-12T15:00:07Z","details":"moderate"}],"title":"CVE-2025-59089"}]}