Skip to main content

389 Directory Server CVE-2026-12528

MEDIUM
Out-of-bounds Write (CWE-787)
2026-06-17 redhat
5.4
CVSS 3.1 · NVD
Share

Severity by source

Vendor (redhat) PRIMARY
MEDIUM
qualitative
NVD
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
vuln.today AI
5.4 MEDIUM

Network-reachable LDAP with low-privilege aci-write access required; heap corruption yields only limited integrity and availability impact with no confidentiality breach.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative
Red Hat
5.4 LOW
qualitative

Primary rating from Vendor (redhat).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

3
Source Code Evidence Fetched
Jun 17, 2026 - 15:40 vuln.today
Analysis Generated
Jun 17, 2026 - 15:40 vuln.today
CVE Published
Jun 17, 2026 - 14:27 cve.org
MEDIUM 5.4

DescriptionNVD

A flaw was found in 389 Directory Server in the __aclp__normalize_acltxt() function of aclparse.c. A malformed ACI (Access Control Instruction) string can trigger heap-buffer-overflow writes and reads during ACI parsing. The function fails to validate that the ACI keyword has sufficient length after whitespace stripping, leading to a 1-byte out-of-bounds write and subsequent out-of-bounds reads. An authenticated user with write access to the aci attribute could send a crafted ACI value to silently corrupt heap memory in the directory server process.

AnalysisAI

Heap buffer overflow in 389 Directory Server's ACI parsing layer allows an authenticated LDAP user with write access to the aci attribute to silently corrupt heap memory in the directory server process by submitting a malformed Access Control Instruction string. The __aclp__normalize_acltxt() function in aclparse.c performs pointer arithmetic on the keyword portion of an ACI string without validating minimum remaining buffer length after whitespace stripping, resulting in a 1-byte out-of-bounds write followed by out-of-bounds reads (CWE-787). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Authenticate to LDAP as user with aci-write delegation
Delivery
Craft malformed ACI string with 0-2 char keyword
Exploit
Submit LDAP modify targeting aci attribute
Install
Trigger `__aclp__normalize_acltxt()` without length guard
C2
Execute 1-byte out-of-bounds write into heap
Execute
Subsequent out-of-bounds reads corrupt adjacent heap memory
Impact
Directory server process destabilized or data silently corrupted

Vulnerability AssessmentAI

Exploitation Exploitation requires an active, authenticated LDAP session where the account holds explicit write access to the `aci` attribute on at least one directory entry - this is a privileged delegation that is not granted to standard directory users by default and must be configured by a directory administrator. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 5.4 (Medium) with vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L accurately reflects the threat model: the network attack vector lowers the physical barrier to exploitation, but PR:L confirms that a valid authenticated session with `aci`-write delegation is required - a non-trivial prerequisite. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated LDAP user who has been delegated write access to the `aci` attribute on a directory suffix crafts a malformed ACI string in which the keyword segment is reduced to one or two characters after whitespace normalization, then submits it via an `ldapmodify` operation. The server's `__aclp__normalize_acltxt()` function processes the value without length validation, writing one byte past the end of the keyword buffer and reading adjacent heap memory, silently corrupting server heap state. …
Remediation The upstream fix is available at https://github.com/389ds/389-ds-base/pull/7542 and adds ACI keyword length validation in `__aclp__normalize_acltxt()` to prevent out-of-bounds access; however, a released patched version of 389-ds-base or Red Hat Directory Server has not been independently confirmed, so administrators should monitor https://access.redhat.com/security/cve/CVE-2026-12528 for an official errata and apply it as soon as it is published. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-11610 HIGH
8.8 Jul 07

Denial of service in Red Hat / 389 Directory Server (389-ds-base, versions since ~1.3.2/2013) allows an authenticated LD

CVE-2026-11774 HIGH
7.6 Jun 11

Heap buffer overflow in 389 Directory Server (389-ds-base) SASL I/O layer allows authenticated remote attackers to crash

CVE-2026-11788 HIGH
7.5 Jun 09

Remote denial of service in 389 Directory Server (Red Hat Directory Server 11/12/13 and Red Hat Enterprise Linux 6 throu

CVE-2026-11789 MEDIUM
6.5 Jun 09

Denial-of-service in Red Hat's 389 Directory Server allows a highly privileged network attacker to crash the LDAP servic

CVE-2026-11884 MEDIUM
6.5 Jun 10

Heap buffer overflow in Red Hat 389 Directory Server allows an authenticated Directory Manager or a compromised replicat

CVE-2026-11611 MEDIUM
6.5 Jun 08

Denial of service in Red Hat 389 Directory Server's Content Synchronization persistent search plugin enables authenticat

CVE-2026-11786 MEDIUM
6.5 Jun 09

Out-of-bounds read in 389 Directory Server's LDIF parser exposes limited heap memory to a highly privileged local attack

CVE-2026-11787 MEDIUM
6.3 Jun 09

Heap buffer over-read in Red Hat Directory Server's ldap_utf8prev() function exposes LDAP deployments to potential confi

CVE-2026-14940 MEDIUM
5.3 Jul 07

Heap-buffer-overflow in 389 Directory Server's DN normalization routine allows an unauthenticated remote attacker to cor

CVE-2026-11791 MEDIUM
5.0 Jun 18

Use-after-free in 389 Directory Server's schema reload path crashes the server when administrative schema reloads race a

CVE-2026-11790 MEDIUM
4.9 Jun 09

Uncontrolled CPU consumption in Red Hat 389 Directory Server's PBKDF2-SHA256 password storage plugin allows a highly pri

CVE-2026-11793 MEDIUM
4.9 Jun 09

Stack buffer overflow in 389 Directory Server's pw.c checkPrefix() function allows a network-accessible Directory Manage

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected
SUSE Linux Enterprise Module for Server Applications 15 SP7 Affected
SUSE Linux Enterprise Server 15 SP7 Affected
SUSE Linux Enterprise Server 16.0 Affected
SUSE Linux Enterprise Server 16.1 Affected

Share

CVE-2026-12528 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy