Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Network-reachable LDAP bind endpoint (AV:N), high complexity due to PBKDF2 timing noise (AC:H), no authentication needed to bind (PR:N), low confidentiality-only impact limited to partial hash inference.
Primary rating from Vendor (redhat).
CVSS VectorVendor: redhat
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
A flaw was found in 389 Directory Server. The PBKDF2-SHA256 password verification function uses standard memcmp() for comparing password hashes instead of a constant-time comparison function. A remote attacker could potentially use timing measurements of LDAP bind attempts to infer partial hash information, though practical exploitation is extremely difficult due to PBKDF2 computational overhead.
AnalysisAI
Timing side-channel exposure in Red Hat Directory Server's PBKDF2-SHA256 password verification allows a remote unauthenticated attacker to send repeated LDAP bind requests and statistically infer partial hash information by measuring response-time differences caused by non-constant-time memcmp() comparisons. Affected deployments span Red Hat Directory Server 11 through 13 and the 389-ds-base package shipped across RHEL 6 through 10. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | No authentication is required to initiate LDAP bind attempts (PR:N in CVSS). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 3.7 (Low) with vector AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N accurately reflects the constrained real-world risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with direct network access to the LDAP port (389/636) submits thousands of bind requests for a known username with crafted passwords designed to produce hash prefixes of varying lengths, then uses statistical methods to measure sub-millisecond differences in server response times. Because PBKDF2 normalization dominates total response time, the attacker would need exceptionally precise timing measurements and a very high request volume to extract even partial hash information - no public exploit code currently demonstrates this attack. |
| Remediation | No specific patched version number is identified in the available intelligence; an exact fix release has not been independently confirmed from the provided references. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Red Hat Directory Server 11
View allDenial of service in Red Hat / 389 Directory Server (389-ds-base, versions since ~1.3.2/2013) allows an authenticated LD
Heap buffer overflow in 389 Directory Server (389-ds-base) SASL I/O layer allows authenticated remote attackers to crash
Remote denial of service in 389 Directory Server (Red Hat Directory Server 11/12/13 and Red Hat Enterprise Linux 6 throu
Denial-of-service in Red Hat's 389 Directory Server allows a highly privileged network attacker to crash the LDAP servic
Heap buffer overflow in Red Hat 389 Directory Server allows an authenticated Directory Manager or a compromised replicat
Denial of service in Red Hat 389 Directory Server's Content Synchronization persistent search plugin enables authenticat
Out-of-bounds read in 389 Directory Server's LDIF parser exposes limited heap memory to a highly privileged local attack
Heap buffer over-read in Red Hat Directory Server's ldap_utf8prev() function exposes LDAP deployments to potential confi
Heap buffer overflow in 389 Directory Server's ACI parsing layer allows an authenticated LDAP user with write access to
Heap-buffer-overflow in 389 Directory Server's DN normalization routine allows an unauthenticated remote attacker to cor
Use-after-free in 389 Directory Server's schema reload path crashes the server when administrative schema reloads race a
Uncontrolled CPU consumption in Red Hat 389 Directory Server's PBKDF2-SHA256 password storage plugin allows a highly pri
Same weakness CWE-208 – Observable Timing Discrepancy
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42213
GHSA-j5fh-pqqw-m384