IBM strongly recommends addressing the vulnerability now.

AIX and VIOS fixes are available. The AIX and VIOS fixes can be downloaded via https from:

https://aix.software.ibm.com/aix/efixes/security/kerberos_fix.tar

The link above is to a tar file containing this signed advisory, fix packages, and OpenSSL signatures for each package. The fixes below include prerequisite checking. This will enforce the correct mapping between the fixes and AIX Technology Levels.

You must be on the 'prereq for installation' level before applying the interim fix. This may require installing a new level(prereq version) first from:

https://www.ibm.com/resources/mrs/assets?source=aixbp

AIX Level	Interim Fix	Fileset Name (prereq for installation)
7.2, 7.3	IJ55344s9a.250722.epkg.Z	krb5.client.rte (1.16.1.7)

VIOS Level	Interim Fix	Fileset Name (prereq for installation)
3.1, 4.1	IJ55344s9a.250722.epkg.Z	krb5.client.rte (1.16.1.7)

To extract the fixes from the tar file:

tar xvf kerberos_fix.tar

cd kerberos_fix

Verify you have retrieved the fixes intact:

The checksums below were generated using the "openssl dgst -sha256 [filename]" command as the following:

openssl dgst -sha256	filename
7e771a31c6f02b5635d99e3444c6085c1c67fd744ed00eade1d042134df6bb54	IJ55344s9a.250722.epkg.Z

These sums should match exactly. The OpenSSL signatures in the tar file and on this advisory can also be used to verify the integrity of the fixes. If the sums or signatures cannot be confirmed, contact IBM Support at http://ibm.com/support/ and describe the discrepancy.

openssl dgst -sha256 -verify [pubkey_file] -signature [advisory_file].sig [advisory_file]

openssl dgst -sha256 -verify [pubkey_file] -signature [ifix_file].sig [ifix_file]

Published advisory OpenSSL signature file location:

https://aix.software.ibm.com/aix/efixes/security/kerberos_advisory.asc.sig

CVE-2025-36244

References