EUVD-2026-35424
GHSA-3mr2-rf49-p7w4
Severity by source
AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
A heap buffer overflow flaw was found in 389 Directory Server. When audit logging is enabled, the create_masked_entry_string() function in auditlog.c copies a fixed-length password mask into a precisely-sized heap buffer without checking available space. If a short cleartext password is logged (requiring non-default CLEAR password storage or a compromised replication peer), the copy overflows the buffer, corrupting heap memory and audit log output.
AnalysisAI
Heap buffer overflow in Red Hat Directory Server's audit logging subsystem allows an authenticated high-privilege attacker to corrupt heap memory and tamper with audit log output. The vulnerable function create_masked_entry_string() in auditlog.c writes a fixed-length password mask into a precisely-sized heap buffer without bounds checking, overflowing when a short cleartext password is processed. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Two distinct non-default preconditions must both be satisfied simultaneously. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 3.3 (Low) accurately reflects the constrained exploitability of this issue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has already obtained high-privilege administrative credentials to a Red Hat Directory Server instance - for example, through credential theft or replication peer compromise - authenticates over the network, confirms that audit logging is active and CLEAR password storage is configured, then submits a short cleartext password (e.g., via a bind or password modify operation). The fixed-length mask copy in create_masked_entry_string() overflows the heap buffer, potentially corrupting adjacent heap structures or audit log entries. … |
| Remediation | Apply Red Hat errata RHBA-2025:15534 (https://access.redhat.com/errata/RHBA-2025:15534), which addresses this heap overflow in the audit logging path. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Remote denial of service in 389 Directory Server (Red Hat Directory Server 11/12/13 and Red Hat Enterprise Linux 6 throu
Denial-of-service in Red Hat's 389 Directory Server allows a highly privileged network attacker to crash the LDAP servic
Out-of-bounds read in 389 Directory Server's LDIF parser exposes limited heap memory to a highly privileged local attack
Denial of service in Red Hat 389 Directory Server's Content Synchronization persistent search plugin enables authenticat
Heap buffer overflow in Red Hat 389 Directory Server allows an authenticated Directory Manager or a compromised replicat
Share
External POC / Exploit Code
Leaving vuln.today