EUVD-2026-35422
GHSA-5cpf-527w-96rp
Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
Primary rating from Vendor (redhat) · only source for this CVE.
CVSS VectorVendor: redhat
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
2DescriptionCVE.org
A flaw was found in 389 Directory Server. The PBKDF2-SHA256 password storage plugin does not enforce an upper bound on the iteration count extracted from stored password hashes. A privileged attacker who can modify a user's password hash can cause excessive CPU consumption during authentication, resulting in denial of service.
AnalysisAI
Uncontrolled CPU consumption in Red Hat 389 Directory Server's PBKDF2-SHA256 password storage plugin allows a highly privileged attacker who has write access to stored password hashes to craft a hash embedding an arbitrarily large iteration count, causing the LDAP server to exhaust CPU resources during any subsequent authentication attempt by the targeted user. Affected products span Red Hat Directory Server 11 through 13 and the 389-ds package as shipped across Red Hat Enterprise Linux 6 through 10. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to hold high-privilege write access to stored password hash entries in the 389 Directory Server - specifically, write permission on the userPassword attribute for the target LDAP entry, which typically means Directory Manager-level credentials or explicitly delegated ACL write rights on that attribute. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | CVSS 4.9 (Medium) with vector AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with compromised Directory Manager credentials authenticates to the 389 Directory Server over LDAP (AV:N, PR:H) and issues an LDAP modify operation to overwrite a target service account's userPassword attribute with a crafted PBKDF2-SHA256 hash embedding an iteration count in the billions. Every subsequent authentication attempt by that service account - or by any process binding as that account - triggers a CPU-saturating PBKDF2 computation on the LDAP server, potentially rendering the directory unresponsive to all clients. … |
| Remediation | No vendor-released patch version has been confirmed from the available reference data at time of analysis - the Red Hat security advisory at https://access.redhat.com/security/cve/CVE-2026-11790 and the associated Bugzilla entry at https://bugzilla.redhat.com/show_bug.cgi?id=2485421 should be monitored for patch releases targeting Red Hat Directory Server 11, 12, 13 and the RHEL ds-base package. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Remote denial of service in 389 Directory Server (Red Hat Directory Server 11/12/13 and Red Hat Enterprise Linux 6 throu
Denial-of-service in Red Hat's 389 Directory Server allows a highly privileged network attacker to crash the LDAP servic
Out-of-bounds read in 389 Directory Server's LDIF parser exposes limited heap memory to a highly privileged local attack
Denial of service in Red Hat 389 Directory Server's Content Synchronization persistent search plugin enables authenticat
Heap buffer overflow in Red Hat 389 Directory Server allows an authenticated Directory Manager or a compromised replicat
Share
External POC / Exploit Code
Leaving vuln.today