MIT Kerberos for Windows

by Massachusetts Institute of Technologyv4.1.0

Last updated Jun 8, 2026

Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography.

Visit homepage

Install with winget

$ winget install --id MIT.Kerberos --exact --version 4.1.0

Run in Command Prompt, PowerShell, or Windows Terminal. Prompts for any agreements.

Silent install command for MIT Kerberos for Windows

MIT Kerberos for Windows uses MSI (WiX). The silent install switches are /quiet /norestart.

One-line silent install (x64)

msiexec.exe /i kfw-4.1-amd64.msi /quiet /norestart

See the full silent install reference for MIT Kerberos for Windows →

Built by Pckgr

For Intune admins

Stop chasing app updates. Pckgr patches them for you.

Automated application patching for Microsoft Intune. Pckgr keeps a curated library of 1,000+ apps continuously up-to-date in your tenant via Microsoft Graph - no manual repackaging, no chasing vendor sites.

Start free 30-day trial

No credit card required.

Installers · v4.1.0

Architecture	Type	Scope	Install	Download
x86	MSI WiX	-		Direct
x64	MSI WiX	-		Direct

Copy a command tailored to that specific architecture, type, and scope - useful when winget would otherwise pick a different default.

Security

17 known CVEs via NVD

critical9.1Patched in wingetCVE-2024-37371affects before 1.21.3Jun 28, 2024
In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can cause invalid memory reads during GSS message token handling by sending message tokens with invalid length fields.
Patch Vendor advisory
high7.5Patched in wingetCVE-2024-37370affects before 1.21.3Jun 28, 2024
In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can modify the plaintext Extra Count field of a confidential GSS krb5 wrap token, causing the unwrapped token to appear truncated to the application.
Patch Vendor advisory
medium5.5Patched in wingetCVE-2024-26462affects v1.21.2Feb 28, 2024
Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/kdc/ndr.c.
high7.5Patched in wingetCVE-2024-26461affects v1.21.2Feb 28, 2024
Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c.
medium5.3Patched in wingetCVE-2024-26458affects v1.21.2Feb 28, 2024
Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c.
high8.8Patched in wingetCVE-2023-39975affects before 1.21.2Aug 16, 2023
kdc/do_tgs_req.c in MIT Kerberos 5 (aka krb5) 1.21 before 1.21.2 has a double free that is reachable if an authenticated user can trigger an authorization-data handling failure. Incorrect data is copied from one ticket to another.
Patch Vendor advisory
medium6.5Patched in wingetCVE-2023-36054affects before 1.20.2Aug 7, 2023
lib/kadm5/kadm_rpc_xdr.c in MIT Kerberos 5 (aka krb5) before 1.20.2 and 1.21.x before 1.21.1 frees an uninitialized pointer. A remote authenticated user can trigger a kadmind crash. This occurs because _xdr_kadm5_principal_ent_rec does not validate the relationship between n_key...
Patch
high8.8Patched in wingetCVE-2022-42898affects before 1.19.4Dec 24, 2022
PAC parsing in MIT Kerberos 5 (aka krb5) before 1.19.4 and 1.20.x before 1.20.1 has integer overflows that may lead to remote code execution (in KDC, kadmind, or a GSS or Kerberos application server) on 32-bit platforms (which have a resultant heap-based buffer overflow), and ca...
Patch Vendor advisory

Showing 8 of 17. Source: NVD, updated 5h ago. Patch status is best-effort: NVD's fix version is compared against the latest version in winget, but the two version formats don't always align. Confirm with the vendor advisory before treating any specific build as safe.

See a CVE that affects your fleet? Push the patched version to Intune in one click with Pckgr - automated patching is the only way to keep up.

Frequently asked questions

How do I install MIT Kerberos for Windows on Windows?

Open Windows Terminal, PowerShell, or Command Prompt and run: winget install --id MIT.Kerberos --exact --version 4.1.0. winget downloads the installer from Massachusetts Institute of Technology and runs it. Requires Windows 10 (1809+) or Windows 11.

How do I install MIT Kerberos for Windows silently for unattended deployment?

Add --silent and accept the agreements upfront: winget install --id MIT.Kerberos --exact 4.1.0 --silent --accept-package-agreements --accept-source-agreements. This is the variant Intune, Configuration Manager, and other deployment tools should use.

What are the silent install switches for MIT Kerberos for Windows?

MIT Kerberos for Windows uses MSI (WiX). Run the downloaded installer with: msiexec.exe /i kfw-4.1-amd64.msi /quiet /norestart. The silent switches are /quiet /norestart.

How do I uninstall MIT Kerberos for Windows via winget?

Run: winget uninstall --id MIT.Kerberos --exact. Add --silent for unattended uninstalls. winget will use the registered uninstaller from MIT Kerberos for Windows's Apps & Features entry.

Is MIT Kerberos for Windows free?

MIT Kerberos for Windows is distributed under MIT License. Refer to the publisher (https://web.mit.edu/kerberos/) for the full license terms - Wingetly itself does not charge for installation.

Does MIT Kerberos for Windows work on Windows 10?

Yes, as long as your Windows 10 build supports winget (1809 or newer). winget ships with App Installer on Windows 10/11 and pulls MIT Kerberos for Windows directly from the publisher.

How do I keep MIT Kerberos for Windows up to date?

Run winget upgrade --id MIT.Kerberos --exact, or winget upgrade --all to update everything winget tracks. We index 1 version of MIT Kerberos for Windows from microsoft/winget-pkgs.