Skip to main content

389 Directory Server CVE-2026-11791

| EUVDEUVD-2026-37902 MEDIUM
Use After Free (CWE-416)
2026-06-18 redhat GHSA-gxp7-cx54-gr2m
5.0
CVSS 3.1 · NVD
Share

Severity by source

Vendor (redhat) PRIMARY
MEDIUM
qualitative
NVD
5.0 MEDIUM
AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:H
vuln.today AI
4.4 MEDIUM

Admin-only schema reload trigger sets PR:H; race condition with concurrent traffic sets AC:H; crash is pure availability impact with no confirmed confidentiality or integrity effect.

3.1 AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
5.5 HIGH
AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:H
Red Hat
5.0 MEDIUM
qualitative

Primary rating from Vendor (redhat).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jun 18, 2026 - 16:06 vuln.today
CVE Published
Jun 18, 2026 - 14:44 cve.org
MEDIUM 5.0

DescriptionNVD

A flaw was found in 389 Directory Server. During schema reload, the attr_syntax_swap_ht() function unconditionally frees attribute syntax information nodes, bypassing the refcount-based deferred deletion used elsewhere in the attribute syntax subsystem. If an administrator triggers schema reload while concurrent LDAP query traffic is active, worker threads may access freed memory, resulting in use-after-free or double-free and a denial of service (server crash).

AnalysisAI

Use-after-free in 389 Directory Server's schema reload path crashes the server when administrative schema reloads race against active LDAP query worker threads. The attr_syntax_swap_ht() function bypasses the refcount-based deferred deletion mechanism used throughout the attribute syntax subsystem, directly freeing nodes that concurrent worker threads may still hold references to. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain Directory Manager credentials
Delivery
Authenticate to 389 Directory Server
Exploit
Issue schema reload while LDAP query traffic is active
Execution
attr_syntax_swap_ht() frees syntax nodes without refcount check
Persist
Worker thread dereferences freed memory
Impact
Server crash and denial of service

Vulnerability AssessmentAI

Exploitation Exploitation requires two simultaneous conditions: (1) the attacker or insider holds administrator-level (Directory Manager) credentials sufficient to invoke a schema reload operation - this is the PR:H gating factor that prevents unauthenticated or low-privileged exploitation entirely; and (2) concurrent LDAP query traffic from other clients must be active at the moment of the schema reload, creating the race condition - this is the AC:H factor. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 3.1 vector (AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:H) yields a 5.0 score that accurately reflects the constrained exploitation path. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A threat actor who has obtained Directory Manager credentials - either through credential theft, insider access, or a prior compromise - authenticates to the 389 Directory Server and issues a schema reload operation (e.g., via ldapmodify targeting cn=schema) while the server is under normal LDAP query load from applications. The race between `attr_syntax_swap_ht()` freeing syntax nodes and concurrent worker threads dereferencing those same nodes causes a use-after-free, crashing the directory server process and interrupting all LDAP-dependent services (authentication, authorization, application logins). …
Remediation The primary remediation is to apply the vendor-issued patch from Red Hat once released; monitor https://access.redhat.com/security/cve/CVE-2026-11791 and the Bugzilla tracker at https://bugzilla.redhat.com/show_bug.cgi?id=2485414 for the specific fixed package versions - no exact patched version number is confirmed in available data at time of analysis. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-11610 HIGH
8.8 Jul 07

Denial of service in Red Hat / 389 Directory Server (389-ds-base, versions since ~1.3.2/2013) allows an authenticated LD

CVE-2026-11774 HIGH
7.6 Jun 11

Heap buffer overflow in 389 Directory Server (389-ds-base) SASL I/O layer allows authenticated remote attackers to crash

CVE-2026-11788 HIGH
7.5 Jun 09

Remote denial of service in 389 Directory Server (Red Hat Directory Server 11/12/13 and Red Hat Enterprise Linux 6 throu

CVE-2026-11789 MEDIUM
6.5 Jun 09

Denial-of-service in Red Hat's 389 Directory Server allows a highly privileged network attacker to crash the LDAP servic

CVE-2026-11884 MEDIUM
6.5 Jun 10

Heap buffer overflow in Red Hat 389 Directory Server allows an authenticated Directory Manager or a compromised replicat

CVE-2026-11611 MEDIUM
6.5 Jun 08

Denial of service in Red Hat 389 Directory Server's Content Synchronization persistent search plugin enables authenticat

CVE-2026-11786 MEDIUM
6.5 Jun 09

Out-of-bounds read in 389 Directory Server's LDIF parser exposes limited heap memory to a highly privileged local attack

CVE-2026-11787 MEDIUM
6.3 Jun 09

Heap buffer over-read in Red Hat Directory Server's ldap_utf8prev() function exposes LDAP deployments to potential confi

CVE-2026-12528 MEDIUM
5.4 Jun 17

Heap buffer overflow in 389 Directory Server's ACI parsing layer allows an authenticated LDAP user with write access to

CVE-2026-14940 MEDIUM
5.3 Jul 07

Heap-buffer-overflow in 389 Directory Server's DN normalization routine allows an unauthenticated remote attacker to cor

CVE-2026-11790 MEDIUM
4.9 Jun 09

Uncontrolled CPU consumption in Red Hat 389 Directory Server's PBKDF2-SHA256 password storage plugin allows a highly pri

CVE-2026-11793 MEDIUM
4.9 Jun 09

Stack buffer overflow in 389 Directory Server's pw.c checkPrefix() function allows a network-accessible Directory Manage

Vendor StatusVendor

SUSE

Severity: Important
Product Status
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected
SUSE Linux Enterprise Module for Server Applications 15 SP7 Affected
SUSE Linux Enterprise Server 15 SP7 Affected
SUSE Linux Enterprise Server 16.0 Affected
SUSE Linux Enterprise Server 16.1 Affected

Share

CVE-2026-11791 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy