EUVD-2026-35418
GHSA-8v22-4r9h-6m6j
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
2DescriptionNVD
A flaw was found in 389 Directory Server. A type confusion in the SSO token extended operation handler causes partial stack address information to be disclosed in LDAP responses to authenticated users.
AnalysisAI
Partial stack address disclosure in Red Hat 389 Directory Server (versions 11, 12, and 13) allows authenticated remote users to extract memory layout information via crafted LDAP extended operation requests. The root cause is a CWE-843 type confusion in the SSO token extended operation handler, which causes stack pointer data to bleed into LDAP response payloads. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid LDAP bind with at least low-privilege credentials (confirmed by PR:L in the CVSS vector - unauthenticated access is not sufficient). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | CVSS 3.1 scores this at 4.3 (Medium) with vector AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with a valid low-privilege LDAP account (or compromised service account) connects to the 389-ds LDAP endpoint over the network and sends a crafted extended operation request targeting the SSO token handler. The type confusion causes the server to serialize partial stack memory addresses into the LDAP response, which the attacker reads to map the server's memory layout. … |
| Remediation | No vendor-released patch version was identified in the available intelligence at time of analysis; patch status should be confirmed against the Red Hat Security Advisory at https://access.redhat.com/security/cve/CVE-2026-11785 and the internal tracking ticket at https://redhat.atlassian.net/browse/PSIRTSUPT-7600. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Remote denial of service in 389 Directory Server (Red Hat Directory Server 11/12/13 and Red Hat Enterprise Linux 6 throu
Denial-of-service in Red Hat's 389 Directory Server allows a highly privileged network attacker to crash the LDAP servic
Out-of-bounds read in 389 Directory Server's LDIF parser exposes limited heap memory to a highly privileged local attack
Denial of service in Red Hat 389 Directory Server's Content Synchronization persistent search plugin enables authenticat
Heap buffer overflow in Red Hat 389 Directory Server allows an authenticated Directory Manager or a compromised replicat
Share
External POC / Exploit Code
Leaving vuln.today