EUVD-2026-35423
GHSA-v6v5-66j3-444p
Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
2DescriptionCVE.org
A stack buffer overflow flaw was found in 389 Directory Server. The checkPrefix() function in pw.c copies an attacker-controlled algorithm ID into a 256-byte stack buffer without bounds checking when parsing reversible-encrypted attribute values. An attacker with Directory Manager privileges can crash the LDAP server by storing a crafted credential with an oversized algorithm ID. FORTIFY_SOURCE mitigates this to denial of service only.
AnalysisAI
Stack buffer overflow in 389 Directory Server's pw.c checkPrefix() function allows a network-accessible Directory Manager to crash the LDAP server by storing a crafted credential with an oversized algorithm ID. The vulnerable code copies attacker-controlled input into a fixed 256-byte stack buffer without bounds checking when parsing reversible-encrypted attribute values. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to be authenticated as Directory Manager (the highest-privilege LDAP role), confirmed by CVSS PR:H. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.9 (Medium) score is consistent with the actual risk profile: AV:N confirms network reachability, AC:L reflects low exploit complexity once prerequisites are met, but PR:H (Directory Manager privileges required) is the primary limiting factor that depresses the score and real-world risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained Directory Manager credentials - through credential theft, insider access, or prior compromise - connects to the LDAP server over the network and issues an LDAP modify operation that stores a crafted attribute value containing a reversible-encrypted password with an algorithm ID exceeding 256 bytes. When 389-ds subsequently calls checkPrefix() to parse the stored value, the oversized algorithm ID overflows the stack buffer, FORTIFY_SOURCE detects the corruption, and the server process is aborted - taking down LDAP authentication for all dependent systems until the service is manually restarted. |
| Remediation | Patch available per vendor advisory, but no exact fixed version is confirmed in the provided input data - consult https://access.redhat.com/security/cve/CVE-2026-11793 directly and apply the errata package when Red Hat releases it via their normal RHSA process. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Remote denial of service in 389 Directory Server (Red Hat Directory Server 11/12/13 and Red Hat Enterprise Linux 6 throu
Denial-of-service in Red Hat's 389 Directory Server allows a highly privileged network attacker to crash the LDAP servic
Out-of-bounds read in 389 Directory Server's LDIF parser exposes limited heap memory to a highly privileged local attack
Denial of service in Red Hat 389 Directory Server's Content Synchronization persistent search plugin enables authenticat
Heap buffer overflow in Red Hat 389 Directory Server allows an authenticated Directory Manager or a compromised replicat
Share
External POC / Exploit Code
Leaving vuln.today