libkrb5.so is vulnerable to denial of service (DoS) through buffer overflow attacks. The vulnerability exists in the get_matching_data()
function of krb5 that includes certauth plugin, and subsequently allowing both the CA certificate and the user’s certificate to have long subjects, causing a denial of service (DoS) attack. Remarks: This attack requires a validated certificate with a long subject and issuer, and a pkinit_cert_match
string attribute that matches a principal in the database.