EUVD-2026-35421
GHSA-jjqx-m459-2x33
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
4DescriptionNVD
A flaw was found in 389 Directory Server. The SMD5 password storage plugin performs unsigned integer underflow when computing salt length from a crafted password hash shorter than 16 bytes, causing a buffer over-read that crashes the LDAP server during authentication.
AnalysisAI
Denial-of-service in Red Hat's 389 Directory Server allows a highly privileged network attacker to crash the LDAP service by submitting a crafted password hash shorter than 16 bytes during authentication. The SMD5 password storage plugin performs an unsigned integer underflow (CWE-191) when computing salt length from this malformed input, producing a buffer over-read that terminates the server process. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a network-accessible 389 Directory Server instance with the SMD5 password storage plugin active (this plugin must be loaded and in use for stored password verification). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS base score of 4.9 is consistent with the PR:H constraint in the vector - an attacker must hold high-privilege credentials (e.g., Directory Manager or equivalent) before triggering the crash, which substantially narrows the realistic attacker population. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained high-privilege LDAP credentials - for example, through credential theft, a misconfigured service account, or insider access - sends a specially crafted LDAP bind request containing an SMD5-formatted password hash that is fewer than 16 bytes in length. The SMD5 plugin's salt-length computation wraps around to a very large unsigned value, causing the server to read far beyond the valid buffer and crash. … |
| Remediation | Patch available per vendor advisory - consult https://access.redhat.com/security/cve/CVE-2026-11789 for specific RHSA advisory numbers and exact fixed package versions, as no patched version number was included in the available input data. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Remote denial of service in 389 Directory Server (Red Hat Directory Server 11/12/13 and Red Hat Enterprise Linux 6 throu
Out-of-bounds read in 389 Directory Server's LDIF parser exposes limited heap memory to a highly privileged local attack
Denial of service in Red Hat 389 Directory Server's Content Synchronization persistent search plugin enables authenticat
Heap buffer overflow in Red Hat 389 Directory Server allows an authenticated Directory Manager or a compromised replicat
Heap buffer over-read in Red Hat Directory Server's ldap_utf8prev() function exposes LDAP deployments to potential confi
Share
External POC / Exploit Code
Leaving vuln.today