Skip to main content

389 Directory Server CVE-2026-11884

| EUVD-2026-36045 MEDIUM
Heap-based Buffer Overflow (CWE-122)
2026-06-10 redhat GHSA-f4g5-r76v-qg3p
Heap Overflow Buffer Overflow Red Hat Directory Server 11 Red Hat Directory Server 12 Red Hat Directory Server 13 Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 8 Red Hat Enterprise Linux 9
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jun 10, 2026 - 15:31 vuln.today
CVE Published
Jun 10, 2026 - 14:07 nvd
MEDIUM 6.5

DescriptionNVD

A heap buffer overflow flaw was found in 389 Directory Server. When serializing objectclass definitions, the oc_superior (SUP) field length is omitted from buffer size calculations in read_schema_dse() and schema_oc_to_string(), but the field is still written via strcat(). An attacker with Directory Manager privileges, or a compromised replication supplier, can trigger a server crash by creating objectclasses with long SUP values. This is an incomplete fix variant of CVE-2025-14905.

AnalysisAI

Heap buffer overflow in Red Hat 389 Directory Server allows an authenticated Directory Manager or a compromised replication supplier to crash the server or corrupt heap memory by creating objectclass definitions with excessively long SUP (oc_superior) values. The flaw exists in schema serialization functions where the SUP field length is excluded from buffer size calculations yet still written via strcat(), producing an off-by-N heap overwrite. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain Directory Manager credentials or compromise replication supplier
Delivery
Connect to LDAP service over network (port 389/636)
Exploit
Submit objectclass schema entry with long SUP field value
Execution
Server invokes schema serialization in read_schema_dse() or schema_oc_to_string()
Persist
strcat() writes SUP string past undersized heap buffer
Impact
Heap corruption triggers server crash (DoS) or integrity-impacting memory overwrite
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to authenticate as Directory Manager (cn=Directory Manager) or hold an equivalent bind DN that has been granted ACI permissions to write to the cn=schema entry. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 6.5 with vector AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H accurately reflects the threat model: the vulnerability is network-reachable and requires no user interaction or special conditions beyond attacker-controlled credentials, but PR:H (high privileges - Directory Manager role) is a genuine barrier that materially limits the attack surface. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained Directory Manager credentials through phishing, credential reuse, or lateral movement from a compromised RHEL host connects to the LDAP server over the network (port 389 or 636) and issues an ldapmodify or ldapadd request to add a new objectclass schema entry - for example, objectClasses: ( 1.3.6.1.4.1.99999.1 NAME 'AttackerClass' SUP [500-character string] STRUCTURAL ) - which triggers schema serialization in read_schema_dse() or schema_oc_to_string(). The strcat() call writes the long SUP string past the undersized heap buffer, overwriting adjacent heap metadata and either crashing the dirsrv process immediately (guaranteed DoS) or creating conditions for controlled heap corruption depending on memory layout. …
Remediation No specific fixed package version is confirmed in the available data; monitor https://access.redhat.com/security/cve/CVE-2026-11884 and the Bugzilla tracker at https://bugzilla.redhat.com/show_bug.cgi?id=2484913 for errata publication. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-11788 HIGH
7.5 Jun 09

Remote denial of service in 389 Directory Server (Red Hat Directory Server 11/12/13 and Red Hat Enterprise Linux 6 throu
CVE-2026-11789 MEDIUM
6.5 Jun 09

Denial-of-service in Red Hat's 389 Directory Server allows a highly privileged network attacker to crash the LDAP servic
CVE-2026-11786 MEDIUM
6.5 Jun 09

Out-of-bounds read in 389 Directory Server's LDIF parser exposes limited heap memory to a highly privileged local attack
CVE-2026-11611 MEDIUM
6.5 Jun 08

Denial of service in Red Hat 389 Directory Server's Content Synchronization persistent search plugin enables authenticat
CVE-2026-11787 MEDIUM
6.3 Jun 09

Heap buffer over-read in Red Hat Directory Server's ldap_utf8prev() function exposes LDAP deployments to potential confi

Share

CVE-2026-11884 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy