Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Authenticated network attacker (PR:L, AV:N, AC:L); description confirms only a server crash with no proven disclosure or code execution, so C:N/I:N/A:H rather than the input's C:H/I:H/A:H.
Primary rating from Vendor (redhat).
CVSS VectorVendor: redhat
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
A heap buffer overflow flaw was found in the SASL I/O layer of 389 Directory Server (389-ds-base). After a successful SASL bind with integrity protection (SSF > 0), an authenticated attacker can send a specially crafted oversized LDAP UNBIND packet that is copied into a 512-byte heap receive buffer without a bounds check in sasl_io_recv() in sasl_io.c. This allows up to approximately 2 megabytes of attacker-controlled data to overflow the buffer, causing a denial of service (server crash). In FreeIPA and Red Hat Identity Management deployments, any domain user with a valid Kerberos ticket, any enrolled host, or any service account can trigger this vulnerability over the network after authenticating via GSSAPI. The vulnerable code path has existed since approximately 2013 (389-ds-base 1.3.2) and was not addressed by the CVE-2025-14905 fix, which patched a separate heap overflow in schema.c only.
AnalysisAI
Denial of service in Red Hat / 389 Directory Server (389-ds-base, versions since ~1.3.2/2013) allows an authenticated LDAP client to crash the server by sending an oversized UNBIND packet over a SASL integrity-protected connection. The oversized data overflows a fixed 512-byte heap receive buffer in sasl_io_recv() (sasl_io.c), and in FreeIPA / Red Hat IdM any domain user, enrolled host, or service account with a valid Kerberos ticket can trigger it after GSSAPI authentication. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a successfully established SASL bind that negotiates a security layer with SSF greater than 0 (integrity or confidentiality protection, typically via GSSAPI/Kerberos) - the vulnerable sasl_io_recv() path is only reached for SASL-wrapped connections, so plaintext or non-integrity binds do not trigger it. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are moderately consistent but contain one important discrepancy. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A low-privileged domain user in a Red Hat IdM realm obtains a normal Kerberos ticket, opens an LDAP connection to the directory server, and completes a GSSAPI SASL bind that negotiates an integrity layer (SSF > 0). They then send a single crafted, oversized UNBIND packet whose payload overflows the 512-byte heap buffer in sasl_io_recv(), crashing the dirsrv process and taking down directory-backed authentication for the domain. … |
| Remediation | No vendor-released patch version was identified at time of analysis; monitor the Red Hat advisory at https://access.redhat.com/security/cve/CVE-2026-11610 and Bugzilla https://bugzilla.redhat.com/show_bug.cgi?id=2484414 for the fixed 389-ds-base / Red Hat Directory Server package builds and apply them via the standard errata channel as soon as they publish, then restart the dirsrv instance. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all 389-ds-base installations and FreeIPA/Red Hat IdM deployments; assess exposure scope based on number of authenticated accounts and systems. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Red Hat Directory Server 11
View allHeap buffer overflow in 389 Directory Server (389-ds-base) SASL I/O layer allows authenticated remote attackers to crash
Remote denial of service in 389 Directory Server (Red Hat Directory Server 11/12/13 and Red Hat Enterprise Linux 6 throu
Denial-of-service in Red Hat's 389 Directory Server allows a highly privileged network attacker to crash the LDAP servic
Heap buffer overflow in Red Hat 389 Directory Server allows an authenticated Directory Manager or a compromised replicat
Denial of service in Red Hat 389 Directory Server's Content Synchronization persistent search plugin enables authenticat
Out-of-bounds read in 389 Directory Server's LDIF parser exposes limited heap memory to a highly privileged local attack
Heap buffer over-read in Red Hat Directory Server's ldap_utf8prev() function exposes LDAP deployments to potential confi
Heap buffer overflow in 389 Directory Server's ACI parsing layer allows an authenticated LDAP user with write access to
Heap-buffer-overflow in 389 Directory Server's DN normalization routine allows an unauthenticated remote attacker to cor
Use-after-free in 389 Directory Server's schema reload path crashes the server when administrative schema reloads race a
Uncontrolled CPU consumption in Red Hat 389 Directory Server's PBKDF2-SHA256 password storage plugin allows a highly pri
Stack buffer overflow in 389 Directory Server's pw.c checkPrefix() function allows a network-accessible Directory Manage
Same weakness CWE-122 – Heap-based Buffer Overflow
View allSame technique Heap Overflow
View allVendor StatusVendor
SUSE
Severity: Important| Product | Status |
|---|---|
| SUSE Liberty Linux 10 | Fixed |
| SUSE Liberty Linux 8 | Fixed |
| SUSE Liberty Linux 9 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP7 | Affected |
| SUSE Linux Enterprise Module for Server Applications 15 SP7 | Affected |
| SUSE Linux Enterprise Server 15 SP7 | Affected |
| SUSE Linux Enterprise Server 16.0 | Affected |
| SUSE Linux Enterprise Server 16.1 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP7 | Affected |
| SUSE Linux Enterprise Server for SAP applications 16.0 | Affected |
| SUSE Linux Enterprise Server for SAP applications 16.1 | Affected |
| openSUSE Leap 16.0 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP4 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP5 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS | Affected |
| SUSE Linux Enterprise Module for Server Applications 15 SP4 | Affected |
| SUSE Linux Enterprise Module for Server Applications 15 SP5 | Affected |
| SUSE Linux Enterprise Module for Server Applications 15 SP6 | Affected |
| SUSE Linux Enterprise Server 15 SP4 | Affected |
| SUSE Linux Enterprise Server 15 SP4-LTSS | Affected |
| SUSE Linux Enterprise Server 15 SP5 | Affected |
| SUSE Linux Enterprise Server 15 SP5-LTSS | Affected |
| SUSE Linux Enterprise Server 15 SP6 | Affected |
| SUSE Linux Enterprise Server 15 SP6-LTSS | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP6 | Affected |
| SUSE Manager Proxy 4.3 | Affected |
| SUSE Manager Proxy LTS 4.3 | Affected |
| SUSE Manager Retail Branch Server 4.3 | Affected |
| SUSE Manager Retail Branch Server LTS 4.3 | Affected |
| SUSE Manager Server 4.3 | Affected |
| SUSE Manager Server LTS 4.3 | Affected |
| SUSE CaaS Platform 4.0 | Affected |
| SUSE Enterprise Storage 6 | Affected |
| SUSE Enterprise Storage 7 | Affected |
| SUSE Enterprise Storage 7.1 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP1 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP2 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP2-ESPOS | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP3 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP6 | Affected |
| SUSE Linux Enterprise Module for Server Applications 15 SP1 | Affected |
| SUSE Linux Enterprise Module for Server Applications 15 SP2 | Affected |
| SUSE Linux Enterprise Module for Server Applications 15 SP3 | Affected |
| SUSE Linux Enterprise Real Time 15 SP2 | Affected |
| SUSE Linux Enterprise Real Time 15 SP3 | Affected |
| SUSE Linux Enterprise Real Time 15 SP4 | Affected |
| SUSE Linux Enterprise Server 15 SP1 | Affected |
| SUSE Linux Enterprise Server 15 SP1-BCL | Affected |
| SUSE Linux Enterprise Server 15 SP1-LTSS | Affected |
| SUSE Linux Enterprise Server 15 SP2 | Affected |
| SUSE Linux Enterprise Server 15 SP2-BCL | Affected |
| SUSE Linux Enterprise Server 15 SP2-LTSS | Affected |
| SUSE Linux Enterprise Server 15 SP3 | Affected |
| SUSE Linux Enterprise Server 15 SP3-BCL | Affected |
| SUSE Linux Enterprise Server 15 SP3-LTSS | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP1 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP2 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP3 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP4 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP5 | Affected |
| SUSE Manager Proxy 4.0 | Affected |
| SUSE Manager Proxy 4.1 | Affected |
| SUSE Manager Proxy 4.2 | Affected |
| SUSE Manager Retail Branch Server 4.0 | Affected |
| SUSE Manager Retail Branch Server 4.1 | Affected |
| SUSE Manager Retail Branch Server 4.2 | Affected |
| SUSE Manager Server 4.0 | Affected |
| SUSE Manager Server 4.1 | Affected |
| SUSE Manager Server 4.2 | Affected |
| openSUSE Leap 15.3 | Affected |
| openSUSE Leap 15.4 | Affected |
| openSUSE Leap 15.5 | Affected |
| openSUSE Leap 15.6 | Affected |
| suse/389-ds | Affected |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42026
GHSA-2g8g-f92j-g4gq