Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:L/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:U/V:X/RE:M/U:Amber
AC:H reflects the non-default configuration prerequisite (recent login history enabled); PR:H for authorized-only access; S:C because heap exhaustion cascades to all downstream identity-dependent systems.
Primary rating from Vendor (Ping Identity).
CVSS VectorVendor: Ping Identity
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:L/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:U/V:X/RE:M/U:Amber
Lifecycle Timeline
2DescriptionCVE.org
Virtual attribute handling in Ping Identity PingDirectory in affected versions allows only authorized users to exhaust java memory heap when recent login history is enabled and copying virtual attributes that reference ds-privilege-name values.
AnalysisAI
PingDirectory's virtual attribute processing exposes an authenticated denial-of-service path capable of exhausting the Java heap, with cascading availability, confidentiality, and integrity impacts on all downstream identity-dependent systems. Authorized users with elevated directory privileges can trigger progressive, unreclaimed heap allocation by copying virtual attributes referencing ds-privilege-name values while recent login history is active. The vendor-assigned CVSS 4.0 score of 6.3 (Amber urgency) masks notably high subsequent-system impact ratings (SC:H/SI:H/SA:H), reflecting that the real organizational risk lies not in PingDirectory itself but in the authentication and authorization disruption cascading to every application integrated with the directory; no public exploit code or CISA KEV listing has been identified at time of analysis.
Technical ContextAI
PingDirectory is Ping Identity's enterprise LDAP directory service. Virtual attributes in LDAP are not stored in the directory information tree but are computed at query time based on logic or references to other attribute values. The ds-privilege-name attribute is a Ping Identity-specific LDAP operational attribute that governs directory access control privileges. CWE-401 (Missing Release of Memory After Effective Lifetime) identifies the root cause as a memory-leak class defect: when the virtual attribute engine processes copy operations referencing ds-privilege-name under the recent login history code path, allocated Java heap objects are not returned to the garbage collector after their effective use, resulting in progressive heap growth. Sufficiently repeated invocations will drive the JVM to OutOfMemoryError conditions, halting or severely degrading the directory process. The CPE string cpe:2.3:a:ping_identity:pingdirectory:*:*:*:*:*:*:*:* indicates the wildcard version range - all versions prior to the patched 11.0.0.1 release are potentially affected, though the oldest affected version is not confirmed in available intelligence.
RemediationAI
Upgrade to PingDirectory 11.0.0.1 or later, available from the Ping Identity downloads portal at https://www.pingidentity.com/en/resources/downloads/pingdirectory-downloads.html, with release notes at https://docs.pingidentity.com/pingdirectory/11.0/release_notes/pd_release_notes.html and full advisory details at https://support.pingidentity.com/s/article/SECADV052-Denial-of-Service-via-copying-virtual-attributes. If immediate patching cannot be completed, the primary compensating control is to disable the recent login history feature in PingDirectory, which removes the necessary configuration prerequisite for exploitation; note that disabling this feature will eliminate login audit trail data, which may have compliance implications in regulated environments. A secondary control is to audit and restrict directory privilege assignments to reduce the set of users capable of performing virtual attribute copy operations on sensitive operational attributes like ds-privilege-name, enforcing least-privilege access; this does not eliminate the vulnerability but raises the bar for exploitation by narrowing the authorized user pool.
Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m
Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti
Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent
Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug
JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up
Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up
The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow
Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla
The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during
Same weakness CWE-401 – Memory Leak
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36374
GHSA-m4wx-pp34-v6v9