CVE-2025-11561

NameCVE-2025-11561
DescriptionA flaw was found in the integration of Active Directory and the System Security Services Daemon (SSSD) on Linux systems. In default configurations, the Kerberos local authentication plugin (sssd_krb5_localauth_plugin) is enabled, but a fallback to the an2ln plugin is possible. This fallback allows an attacker with permission to modify certain AD attributes (such as userPrincipalName or samAccountName) to impersonate privileged users, potentially resulting in unauthorized access or privilege escalation on domain-joined Linux hosts.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1117935

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
sssd (PTS)bullseye2.4.1-2vulnerable
bullseye (security)2.4.1-2+deb11u1vulnerable
bookworm2.8.2-4+deb12u1vulnerable
forky, sid, trixie2.10.1-2vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
sssdsource(unstable)(unfixed)1117935

Notes

[trixie] - sssd <no-dsa> (Minor issue)
[bookworm] - sssd <no-dsa> (Minor issue)
[bullseye] - sssd <postponed> (Minor issue)
https://bugzilla.redhat.com/show_bug.cgi?id=2402727
https://blog.async.sg/kerberos-ldr
https://github.com/SSSD/sssd/issues/8021
https://github.com/SSSD/sssd/commit/9939c39d1949fad48af2f0b43c788bad0809e310 (master)
https://github.com/SSSD/sssd/commit/9edd2b3bb9bcff132969fadd402b4891b2ddb9e3 (sssd-2-10)
https://github.com/SSSD/sssd/commit/a0336f4cd69c25b3d501a3d361d3d286c00da4d2 (sssd-2-8)
Search for package or bug name: Reporting problems