Severity by source
AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:H
Admin-only schema reload trigger sets PR:H; race condition with concurrent traffic sets AC:H; crash is pure availability impact with no confirmed confidentiality or integrity effect.
AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:H
Primary rating from Vendor (redhat).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:H
Lifecycle Timeline
2DescriptionNVD
A flaw was found in 389 Directory Server. During schema reload, the attr_syntax_swap_ht() function unconditionally frees attribute syntax information nodes, bypassing the refcount-based deferred deletion used elsewhere in the attribute syntax subsystem. If an administrator triggers schema reload while concurrent LDAP query traffic is active, worker threads may access freed memory, resulting in use-after-free or double-free and a denial of service (server crash).
AnalysisAI
Use-after-free in 389 Directory Server's schema reload path crashes the server when administrative schema reloads race against active LDAP query worker threads. The attr_syntax_swap_ht() function bypasses the refcount-based deferred deletion mechanism used throughout the attribute syntax subsystem, directly freeing nodes that concurrent worker threads may still hold references to. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires two simultaneous conditions: (1) the attacker or insider holds administrator-level (Directory Manager) credentials sufficient to invoke a schema reload operation - this is the PR:H gating factor that prevents unauthenticated or low-privileged exploitation entirely; and (2) concurrent LDAP query traffic from other clients must be active at the moment of the schema reload, creating the race condition - this is the AC:H factor. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 3.1 vector (AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:H) yields a 5.0 score that accurately reflects the constrained exploitation path. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A threat actor who has obtained Directory Manager credentials - either through credential theft, insider access, or a prior compromise - authenticates to the 389 Directory Server and issues a schema reload operation (e.g., via ldapmodify targeting cn=schema) while the server is under normal LDAP query load from applications. The race between `attr_syntax_swap_ht()` freeing syntax nodes and concurrent worker threads dereferencing those same nodes causes a use-after-free, crashing the directory server process and interrupting all LDAP-dependent services (authentication, authorization, application logins). … |
| Remediation | The primary remediation is to apply the vendor-issued patch from Red Hat once released; monitor https://access.redhat.com/security/cve/CVE-2026-11791 and the Bugzilla tracker at https://bugzilla.redhat.com/show_bug.cgi?id=2485414 for the specific fixed package versions - no exact patched version number is confirmed in available data at time of analysis. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Red Hat Directory Server 11
View allDenial of service in Red Hat / 389 Directory Server (389-ds-base, versions since ~1.3.2/2013) allows an authenticated LD
Heap buffer overflow in 389 Directory Server (389-ds-base) SASL I/O layer allows authenticated remote attackers to crash
Remote denial of service in 389 Directory Server (Red Hat Directory Server 11/12/13 and Red Hat Enterprise Linux 6 throu
Denial-of-service in Red Hat's 389 Directory Server allows a highly privileged network attacker to crash the LDAP servic
Heap buffer overflow in Red Hat 389 Directory Server allows an authenticated Directory Manager or a compromised replicat
Denial of service in Red Hat 389 Directory Server's Content Synchronization persistent search plugin enables authenticat
Out-of-bounds read in 389 Directory Server's LDIF parser exposes limited heap memory to a highly privileged local attack
Heap buffer over-read in Red Hat Directory Server's ldap_utf8prev() function exposes LDAP deployments to potential confi
Heap buffer overflow in 389 Directory Server's ACI parsing layer allows an authenticated LDAP user with write access to
Heap-buffer-overflow in 389 Directory Server's DN normalization routine allows an unauthenticated remote attacker to cor
Uncontrolled CPU consumption in Red Hat 389 Directory Server's PBKDF2-SHA256 password storage plugin allows a highly pri
Stack buffer overflow in 389 Directory Server's pw.c checkPrefix() function allows a network-accessible Directory Manage
Same weakness CWE-416 – Use After Free
View allSame technique Use After Free
View allVendor StatusVendor
SUSE
Severity: Important| Product | Status |
|---|---|
| SUSE Linux Enterprise High Performance Computing 15 SP7 | Affected |
| SUSE Linux Enterprise Module for Server Applications 15 SP7 | Affected |
| SUSE Linux Enterprise Server 15 SP7 | Affected |
| SUSE Linux Enterprise Server 16.0 | Affected |
| SUSE Linux Enterprise Server 16.1 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP7 | Affected |
| SUSE Linux Enterprise Server for SAP applications 16.0 | Affected |
| SUSE Linux Enterprise Server for SAP applications 16.1 | Affected |
| openSUSE Leap 16.0 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP4 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP5 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS | Affected |
| SUSE Linux Enterprise Module for Server Applications 15 SP4 | Affected |
| SUSE Linux Enterprise Module for Server Applications 15 SP5 | Affected |
| SUSE Linux Enterprise Module for Server Applications 15 SP6 | Affected |
| SUSE Linux Enterprise Server 15 SP4 | Affected |
| SUSE Linux Enterprise Server 15 SP4-LTSS | Affected |
| SUSE Linux Enterprise Server 15 SP5 | Affected |
| SUSE Linux Enterprise Server 15 SP5-LTSS | Affected |
| SUSE Linux Enterprise Server 15 SP6 | Affected |
| SUSE Linux Enterprise Server 15 SP6-LTSS | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP6 | Affected |
| SUSE Manager Proxy 4.3 | Affected |
| SUSE Manager Proxy LTS 4.3 | Affected |
| SUSE Manager Retail Branch Server 4.3 | Affected |
| SUSE Manager Retail Branch Server LTS 4.3 | Affected |
| SUSE Manager Server 4.3 | Affected |
| SUSE Manager Server LTS 4.3 | Affected |
| SUSE CaaS Platform 4.0 | Affected |
| SUSE Enterprise Storage 6 | Affected |
| SUSE Enterprise Storage 7 | Affected |
| SUSE Enterprise Storage 7.1 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP1 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP2 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP2-ESPOS | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP3 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP6 | Affected |
| SUSE Linux Enterprise Module for Server Applications 15 SP1 | Affected |
| SUSE Linux Enterprise Module for Server Applications 15 SP2 | Affected |
| SUSE Linux Enterprise Module for Server Applications 15 SP3 | Affected |
| SUSE Linux Enterprise Real Time 15 SP2 | Affected |
| SUSE Linux Enterprise Real Time 15 SP3 | Affected |
| SUSE Linux Enterprise Real Time 15 SP4 | Affected |
| SUSE Linux Enterprise Server 15 SP1 | Affected |
| SUSE Linux Enterprise Server 15 SP1-BCL | Affected |
| SUSE Linux Enterprise Server 15 SP1-LTSS | Affected |
| SUSE Linux Enterprise Server 15 SP2 | Affected |
| SUSE Linux Enterprise Server 15 SP2-BCL | Affected |
| SUSE Linux Enterprise Server 15 SP2-LTSS | Affected |
| SUSE Linux Enterprise Server 15 SP3 | Affected |
| SUSE Linux Enterprise Server 15 SP3-BCL | Affected |
| SUSE Linux Enterprise Server 15 SP3-LTSS | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP1 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP2 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP3 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP4 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP5 | Affected |
| SUSE Manager Proxy 4.0 | Affected |
| SUSE Manager Proxy 4.1 | Affected |
| SUSE Manager Proxy 4.2 | Affected |
| SUSE Manager Retail Branch Server 4.0 | Affected |
| SUSE Manager Retail Branch Server 4.1 | Affected |
| SUSE Manager Retail Branch Server 4.2 | Affected |
| SUSE Manager Server 4.0 | Affected |
| SUSE Manager Server 4.1 | Affected |
| SUSE Manager Server 4.2 | Affected |
| openSUSE Leap 15.3 | Affected |
| openSUSE Leap 15.4 | Affected |
| openSUSE Leap 15.5 | Affected |
| openSUSE Leap 15.6 | Affected |
| SUSE Manager Proxy 4.3 LTS | Affected |
| SUSE Manager Retail Branch Server 4.3 LTS | Affected |
| SUSE Manager Server 4.3 LTS | Affected |
| suse/389-ds | Affected |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37902
GHSA-gxp7-cx54-gr2m