EUVD-2026-35420
GHSA-x2wj-4r98-4867
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Network-reachable and unauthenticated, but exploitation depends on inducing a memory-allocation failure in the server, so AC:H; impact is availability-only crash of ns-slapd.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
10DescriptionNVD
A flaw was found in 389 Directory Server. The dereference control plugin does not check for allocation failure before using a BER structure, allowing an unauthenticated remote attacker to crash the LDAP server when the system is under memory pressure.
AnalysisAI
Remote denial of service in 389 Directory Server (Red Hat Directory Server 11/12/13 and Red Hat Enterprise Linux 6 through 10) allows unauthenticated network attackers to crash the LDAP daemon by exploiting an unchecked BER structure allocation in the dereference control plugin when the host is under memory pressure. No public exploit identified at time of analysis, and EPSS exploitation probability is very low (0.09%, 25th percentile), but the unauthenticated network-reachable nature warrants prompt patching of internet-facing or business-critical directory services.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires network reachability to the 389 Directory Server LDAP/LDAPS listener (typically 389/tcp or 636/tcp) and the ability to send a search request invoking the dereference control plugin, which is enabled by default in 389-ds. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are coherent but mixed in priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker with TCP reach to the LDAP listener sends a search request carrying the dereference control while the server is under memory pressure (which the attacker may amplify through concurrent expensive searches or sheer connection volume); a failed BER allocation returns NULL, the plugin dereferences it, and ns-slapd crashes, taking directory authentication and lookup services offline. No public exploit has been identified at time of analysis. |
| Remediation | Patch available per vendor advisory - apply the Red Hat-provided 389-ds-base / redhat-ds package update for your platform once the corresponding RHSA is published (track https://access.redhat.com/security/cve/CVE-2026-11788 and Bugzilla 2485423 for the exact fixed version, which was not included in the input data). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all 389 Directory Server and Red Hat Directory Server 11, 12, 13 instances, with emphasis on those exposed to untrusted networks or the internet. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Denial-of-service in Red Hat's 389 Directory Server allows a highly privileged network attacker to crash the LDAP servic
Out-of-bounds read in 389 Directory Server's LDIF parser exposes limited heap memory to a highly privileged local attack
Denial of service in Red Hat 389 Directory Server's Content Synchronization persistent search plugin enables authenticat
Heap buffer overflow in Red Hat 389 Directory Server allows an authenticated Directory Manager or a compromised replicat
Heap buffer over-read in Red Hat Directory Server's ldap_utf8prev() function exposes LDAP deployments to potential confi
Share
External POC / Exploit Code
Leaving vuln.today