CVE-2025-11561
Publication date 9 October 2025
Last updated 13 January 2026
Ubuntu priority
Description
A flaw was found in the integration of Active Directory and the System Security Services Daemon (SSSD) on Linux systems. In default configurations, the Kerberos local authentication plugin (sssd_krb5_localauth_plugin) is enabled, but a fallback to the an2ln plugin is possible. This fallback allows an attacker with permission to modify certain AD attributes (such as userPrincipalName or samAccountName) to impersonate privileged users, potentially resulting in unauthorized access or privilege escalation on domain-joined Linux hosts.
Mitigation
In environments where fallback to the an2ln plugin is not desirable, "disable = an2ln" can be used to disable it in the localauth configuration in the plugins section of krb5.conf. See an example in the upstream bug report for this issue: https://github.com/SSSD/sssd/issues/8021#issuecomment-3136802302
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| sssd | 25.10 questing | Ignored see notes |
| 25.04 plucky | Ignored see notes | |
| 24.04 LTS noble | Ignored see notes | |
| 22.04 LTS jammy | Ignored see notes | |
| 20.04 LTS focal | Ignored see notes | |
| 18.04 LTS bionic | Ignored see notes | |
| 16.04 LTS xenial | Ignored see notes |
Notes
mdeslaur
The upstream fix for this issue removes the fallback to an2ln. Changing this behaviour in stable releases may break existing environments. We will not be releasing an update for this issue for Ubuntu stable releases.
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
8.8 · High
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | Low |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |