Skip to main content

389 Directory Server EUVD-2026-36293

| CVE-2026-11774 HIGH
Integer Overflow or Wraparound (CWE-190)
2026-06-11 redhat GHSA-6mrg-rm5v-2c3q
Integer Overflow RCE Denial Of Service Red Hat Buffer Overflow
7.6
CVSS 3.1 · NVD
Share

Severity by source

Vendor (redhat) PRIMARY
HIGH
qualitative
NVD
7.6 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H
vuln.today AI
7.6 HIGH

Network-reachable LDAP (AV:N), deterministic overflow trigger (AC:L), requires a successful SASL bind so PR:L; RCE potential gives some C/I impact but reliable outcome is service crash, hence A:H with C:L/I:L.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (redhat).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jun 11, 2026 - 19:15 vuln.today
CVE Published
Jun 11, 2026 - 17:54 cve.org
HIGH 7.6

DescriptionNVD

An integer overflow flaw was found in the SASL I/O layer of 389 Directory Server (389-ds-base). In sasl_io_start_packet(), adding sizeof(uint32_t) to a crafted SASL packet length prefix of 0xFFFFFFFC causes unsigned wraparound to zero, bypassing the nsslapd-maxsasliosize limit and leading to a heap buffer overflow of up to approximately 2 megabytes of attacker-controlled data. After a successful SASL bind with integrity protection (SSF > 0), a remote attacker can cause a Denial of Service (DoS) or achieve Remote Code Execution (RCE). In FreeIPA and Red Hat Identity Management deployments, any domain user with a valid Kerberos ticket, enrolled host, or service account can trigger this vulnerability over the network. This flaw is independent of CVE-2025-14905, which patched schema.c only and did not modify sasl_io.c.

AnalysisAI

Heap buffer overflow in 389 Directory Server (389-ds-base) SASL I/O layer allows authenticated remote attackers to crash the LDAP service or achieve remote code execution after a successful SASL bind with integrity protection (SSF > 0). The flaw stems from an integer overflow in sasl_io_start_packet() that bypasses the nsslapd-maxsasliosize ceiling, enabling roughly 2 MB of attacker-controlled heap corruption. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain Kerberos ticket or LDAP credential
Delivery
Connect to ns-slapd LDAP port
Exploit
Complete SASL bind with SSF>0
Install
Send packet with length prefix 0xFFFFFFFC
C2
Trigger integer overflow in sasl_io_start_packet
Execute
Corrupt ns-slapd heap with ~2MB payload
Impact
Crash service or execute code as directory account
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Attacker must (1) reach a directory server's LDAP/LDAPS port over the network, (2) complete a successful SASL bind that negotiates a security layer with SSF > 0 (integrity or confidentiality, typically GSSAPI/Kerberos or DIGEST-MD5), and (3) send a crafted SASL packet whose 32-bit length prefix is 0xFFFFFFFC to trigger the wraparound in sasl_io_start_packet. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H combined with confirmed RCE potential and a high-value target (the directory service that backs Kerberos/LDAP authentication) makes this a genuine priority for any environment running 389-ds, RHDS, FreeIPA, or RH IdM. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with any valid Kerberos credential in a FreeIPA/IdM realm - for example a low-privileged domain user, a stolen host keytab, or a compromised service account - opens an LDAP connection to a directory replica, completes a GSSAPI SASL bind negotiating integrity protection, then sends a SASL-framed message whose 4-byte length prefix is 0xFFFFFFFC. The integer overflow in sasl_io_start_packet allocates a near-zero buffer that is then filled with roughly 2 MB of attacker-controlled bytes, corrupting the ns-slapd heap to either crash the directory (denial of service that takes down authentication for the whole realm) or, with appropriate heap grooming, achieve remote code execution as the directory service account.
Remediation No vendor-released patch identified at time of analysis from the supplied references; monitor https://access.redhat.com/security/cve/CVE-2026-11774 and the linked Bugzilla 2484916 for fixed package versions (389-ds-base for RHEL 8/9/10 and redhat-ds for RHDS 11/12/13) and apply them as soon as they ship, prioritizing IdM/FreeIPA replicas. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: identify all 389-ds deployments and FreeIPA/Red Hat Identity Management instances in production. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-36293 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy