Skip to main content

389 Directory Server EUVDEUVD-2026-42026

| CVE-2026-11610 HIGH
Heap-based Buffer Overflow (CWE-122)
2026-07-07 redhat GHSA-2g8g-f92j-g4gq
8.8
CVSS 3.1 · Vendor: redhat
Share

Severity by source

Vendor (redhat) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
6.5 MEDIUM

Authenticated network attacker (PR:L, AV:N, AC:L); description confirms only a server crash with no proven disclosure or code execution, so C:N/I:N/A:H rather than the input's C:H/I:H/A:H.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
HIGH
qualitative
Red Hat
8.8 HIGH
qualitative

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jul 07, 2026 - 10:34 vuln.today
CVE Published
Jul 07, 2026 - 09:17 nvd
HIGH 8.8

DescriptionCVE.org

A heap buffer overflow flaw was found in the SASL I/O layer of 389 Directory Server (389-ds-base). After a successful SASL bind with integrity protection (SSF > 0), an authenticated attacker can send a specially crafted oversized LDAP UNBIND packet that is copied into a 512-byte heap receive buffer without a bounds check in sasl_io_recv() in sasl_io.c. This allows up to approximately 2 megabytes of attacker-controlled data to overflow the buffer, causing a denial of service (server crash). In FreeIPA and Red Hat Identity Management deployments, any domain user with a valid Kerberos ticket, any enrolled host, or any service account can trigger this vulnerability over the network after authenticating via GSSAPI. The vulnerable code path has existed since approximately 2013 (389-ds-base 1.3.2) and was not addressed by the CVE-2025-14905 fix, which patched a separate heap overflow in schema.c only.

AnalysisAI

Denial of service in Red Hat / 389 Directory Server (389-ds-base, versions since ~1.3.2/2013) allows an authenticated LDAP client to crash the server by sending an oversized UNBIND packet over a SASL integrity-protected connection. The oversized data overflows a fixed 512-byte heap receive buffer in sasl_io_recv() (sasl_io.c), and in FreeIPA / Red Hat IdM any domain user, enrolled host, or service account with a valid Kerberos ticket can trigger it after GSSAPI authentication. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain valid Kerberos ticket in realm
Delivery
Complete GSSAPI SASL bind with SSF>0
Exploit
Send oversized crafted UNBIND packet
Execution
Overflow 512-byte heap buffer in sasl_io_recv()
Impact
Crash dirsrv process (directory DoS)

Vulnerability AssessmentAI

Exploitation Exploitation requires a successfully established SASL bind that negotiates a security layer with SSF greater than 0 (integrity or confidentiality protection, typically via GSSAPI/Kerberos) - the vulnerable sasl_io_recv() path is only reached for SASL-wrapped connections, so plaintext or non-integrity binds do not trigger it. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are moderately consistent but contain one important discrepancy. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A low-privileged domain user in a Red Hat IdM realm obtains a normal Kerberos ticket, opens an LDAP connection to the directory server, and completes a GSSAPI SASL bind that negotiates an integrity layer (SSF > 0). They then send a single crafted, oversized UNBIND packet whose payload overflows the 512-byte heap buffer in sasl_io_recv(), crashing the dirsrv process and taking down directory-backed authentication for the domain. …
Remediation No vendor-released patch version was identified at time of analysis; monitor the Red Hat advisory at https://access.redhat.com/security/cve/CVE-2026-11610 and Bugzilla https://bugzilla.redhat.com/show_bug.cgi?id=2484414 for the fixed 389-ds-base / Red Hat Directory Server package builds and apply them via the standard errata channel as soon as they publish, then restart the dirsrv instance. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all 389-ds-base installations and FreeIPA/Red Hat IdM deployments; assess exposure scope based on number of authenticated accounts and systems. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-11774 HIGH
7.6 Jun 11

Heap buffer overflow in 389 Directory Server (389-ds-base) SASL I/O layer allows authenticated remote attackers to crash

CVE-2026-11788 HIGH
7.5 Jun 09

Remote denial of service in 389 Directory Server (Red Hat Directory Server 11/12/13 and Red Hat Enterprise Linux 6 throu

CVE-2026-11789 MEDIUM
6.5 Jun 09

Denial-of-service in Red Hat's 389 Directory Server allows a highly privileged network attacker to crash the LDAP servic

CVE-2026-11884 MEDIUM
6.5 Jun 10

Heap buffer overflow in Red Hat 389 Directory Server allows an authenticated Directory Manager or a compromised replicat

CVE-2026-11611 MEDIUM
6.5 Jun 08

Denial of service in Red Hat 389 Directory Server's Content Synchronization persistent search plugin enables authenticat

CVE-2026-11786 MEDIUM
6.5 Jun 09

Out-of-bounds read in 389 Directory Server's LDIF parser exposes limited heap memory to a highly privileged local attack

CVE-2026-11787 MEDIUM
6.3 Jun 09

Heap buffer over-read in Red Hat Directory Server's ldap_utf8prev() function exposes LDAP deployments to potential confi

CVE-2026-12528 MEDIUM
5.4 Jun 17

Heap buffer overflow in 389 Directory Server's ACI parsing layer allows an authenticated LDAP user with write access to

CVE-2026-14940 MEDIUM
5.3 Jul 07

Heap-buffer-overflow in 389 Directory Server's DN normalization routine allows an unauthenticated remote attacker to cor

CVE-2026-11791 MEDIUM
5.0 Jun 18

Use-after-free in 389 Directory Server's schema reload path crashes the server when administrative schema reloads race a

CVE-2026-11790 MEDIUM
4.9 Jun 09

Uncontrolled CPU consumption in Red Hat 389 Directory Server's PBKDF2-SHA256 password storage plugin allows a highly pri

CVE-2026-11793 MEDIUM
4.9 Jun 09

Stack buffer overflow in 389 Directory Server's pw.c checkPrefix() function allows a network-accessible Directory Manage

Vendor StatusVendor

SUSE

Severity: Important
Product Status
SUSE Liberty Linux 10 Fixed
SUSE Liberty Linux 8 Fixed
SUSE Liberty Linux 9 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected
SUSE Linux Enterprise Module for Server Applications 15 SP7 Affected

Share

EUVD-2026-42026 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy