Skip to main content

389-ds-base EUVDEUVD-2026-42052

| CVE-2026-14969 MEDIUM
Generation of Predictable IV with CBC Mode (CWE-329)
2026-07-07 redhat GHSA-9458-4323-hx4r
4.4
CVSS 3.1 · NVD
Share

Severity by source

Vendor (redhat) PRIMARY
MEDIUM
qualitative
NVD
4.4 MEDIUM
AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
4.4 MEDIUM

Local filesystem access with high OS privileges required; no integrity or availability impact; confidentiality high given sensitivity of encrypted directory attributes.

3.1 AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
4.0 AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative
Red Hat
4.4 MEDIUM
qualitative

Primary rating from Vendor (redhat).

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 07, 2026 - 16:20 vuln.today

DescriptionNVD

A flaw was found in 389-ds-base where the LDBM backend attribute encryption uses a hardcoded static initialization vector for AES-CBC and 3DES-CBC operations, allowing an attacker with privileged filesystem access to detect plaintext equality across encrypted entries by comparing ciphertext blocks.

AnalysisAI

Attribute encryption in the 389-ds-base LDBM backend exposes a cryptographic design flaw affecting Red Hat Directory Server 11, 12, and 13 across all supported RHEL releases (6 through 10). The LDBM backend applies a static, hardcoded initialization vector (IV) for both AES-CBC and 3DES-CBC encryption of directory attribute values, meaning that two entries storing identical plaintext for an encrypted attribute will always produce identical ciphertext blocks - a classic ciphertext equality oracle. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain root access to RHEL host
Delivery
Locate LDBM database directory
Exploit
Read raw encrypted attribute bytes
Execution
Compare ciphertext blocks across entries
Impact
Identify entries sharing identical encrypted values

Vulnerability AssessmentAI

Exploitation Exploitation requires the following specific conditions: (1) the attacker must have privileged local filesystem access to the LDBM database directory - consistent with the CVSS AV:L/PR:H vector, this means root-level or equivalent OS access to the host running 389-ds-base; (2) the 389-ds-base instance must be configured with attribute-level encryption enabled on one or more attributes using AES-CBC or 3DES-CBC - this is a non-default configuration that must be explicitly activated by a directory administrator; (3) the target attributes must store values where equality is meaningful (e.g., hashed credentials, unique identifiers, PII fields). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N) scores 4.4 Medium, and the vector is internally consistent with the described attack: local access (AV:L) with high privileges (PR:H) is required to read raw LDBM database files, which are normally restricted to the directory server process and root. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has escalated to root on a RHEL host running Red Hat Directory Server opens the LDBM database files directly (e.g., using a Berkeley DB tool or raw file reads on /var/lib/dirsrv/slapd-instance/db/) and extracts the raw ciphertext bytes for an encrypted attribute such as a personal identifier or credential field across multiple user entries. Because the static IV causes identical plaintext values to encrypt to identical ciphertext, the attacker can group entries by ciphertext equality - for example, confirming which users share the same attribute value - without needing the encryption key or recovering any actual plaintext. …
Remediation No patched package version was explicitly identified in the provided input data; the Red Hat CVE advisory (https://access.redhat.com/security/cve/CVE-2026-14969) and Bugzilla entry (https://bugzilla.redhat.com/show_bug.cgi?id=2497735) should be monitored for errata releases targeting 389-ds-base on the affected RHEL releases. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-11610 HIGH
8.8 Jul 07

Denial of service in Red Hat / 389 Directory Server (389-ds-base, versions since ~1.3.2/2013) allows an authenticated LD

CVE-2026-11774 HIGH
7.6 Jun 11

Heap buffer overflow in 389 Directory Server (389-ds-base) SASL I/O layer allows authenticated remote attackers to crash

CVE-2026-11788 HIGH
7.5 Jun 09

Remote denial of service in 389 Directory Server (Red Hat Directory Server 11/12/13 and Red Hat Enterprise Linux 6 throu

CVE-2026-11789 MEDIUM
6.5 Jun 09

Denial-of-service in Red Hat's 389 Directory Server allows a highly privileged network attacker to crash the LDAP servic

CVE-2026-11884 MEDIUM
6.5 Jun 10

Heap buffer overflow in Red Hat 389 Directory Server allows an authenticated Directory Manager or a compromised replicat

CVE-2026-11611 MEDIUM
6.5 Jun 08

Denial of service in Red Hat 389 Directory Server's Content Synchronization persistent search plugin enables authenticat

CVE-2026-11786 MEDIUM
6.5 Jun 09

Out-of-bounds read in 389 Directory Server's LDIF parser exposes limited heap memory to a highly privileged local attack

CVE-2026-11787 MEDIUM
6.3 Jun 09

Heap buffer over-read in Red Hat Directory Server's ldap_utf8prev() function exposes LDAP deployments to potential confi

CVE-2026-12528 MEDIUM
5.4 Jun 17

Heap buffer overflow in 389 Directory Server's ACI parsing layer allows an authenticated LDAP user with write access to

CVE-2026-14940 MEDIUM
5.3 Jul 07

Heap-buffer-overflow in 389 Directory Server's DN normalization routine allows an unauthenticated remote attacker to cor

CVE-2026-11791 MEDIUM
5.0 Jun 18

Use-after-free in 389 Directory Server's schema reload path crashes the server when administrative schema reloads race a

CVE-2026-11790 MEDIUM
4.9 Jun 09

Uncontrolled CPU consumption in Red Hat 389 Directory Server's PBKDF2-SHA256 password storage plugin allows a highly pri

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected
SUSE Linux Enterprise Module for Server Applications 15 SP7 Affected
SUSE Linux Enterprise Server 15 SP7 Affected
SUSE Linux Enterprise Server 16.0 Affected
SUSE Linux Enterprise Server 16.1 Affected

Share

EUVD-2026-42052 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy