Skip to main content

Severity by source

Vendor (redhat) PRIMARY
3.7 LOW
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
vuln.today AI
3.7 LOW

Network-reachable LDAP bind endpoint (AV:N), high complexity due to PBKDF2 timing noise (AC:H), no authentication needed to bind (PR:N), low confidentiality-only impact limited to partial hash inference.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 08, 2026 - 11:20 vuln.today
CVE Published
Jul 08, 2026 - 10:15 cve.org
LOW 3.7

DescriptionCVE.org

A flaw was found in 389 Directory Server. The PBKDF2-SHA256 password verification function uses standard memcmp() for comparing password hashes instead of a constant-time comparison function. A remote attacker could potentially use timing measurements of LDAP bind attempts to infer partial hash information, though practical exploitation is extremely difficult due to PBKDF2 computational overhead.

AnalysisAI

Timing side-channel exposure in Red Hat Directory Server's PBKDF2-SHA256 password verification allows a remote unauthenticated attacker to send repeated LDAP bind requests and statistically infer partial hash information by measuring response-time differences caused by non-constant-time memcmp() comparisons. Affected deployments span Red Hat Directory Server 11 through 13 and the 389-ds-base package shipped across RHEL 6 through 10. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify accessible LDAP endpoint
Delivery
Enumerate valid username for target account
Exploit
Issue high-volume bind requests with crafted password candidates
Execution
Capture sub-millisecond response-time measurements
Persist
Apply statistical timing analysis
Impact
Infer partial PBKDF2-SHA256 hash bytes

Vulnerability AssessmentAI

Exploitation No authentication is required to initiate LDAP bind attempts (PR:N in CVSS). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 3.7 (Low) with vector AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N accurately reflects the constrained real-world risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with direct network access to the LDAP port (389/636) submits thousands of bind requests for a known username with crafted passwords designed to produce hash prefixes of varying lengths, then uses statistical methods to measure sub-millisecond differences in server response times. Because PBKDF2 normalization dominates total response time, the attacker would need exceptionally precise timing measurements and a very high request volume to extract even partial hash information - no public exploit code currently demonstrates this attack.
Remediation No specific patched version number is identified in the available intelligence; an exact fix release has not been independently confirmed from the provided references. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-11610 HIGH
8.8 Jul 07

Denial of service in Red Hat / 389 Directory Server (389-ds-base, versions since ~1.3.2/2013) allows an authenticated LD

CVE-2026-11774 HIGH
7.6 Jun 11

Heap buffer overflow in 389 Directory Server (389-ds-base) SASL I/O layer allows authenticated remote attackers to crash

CVE-2026-11788 HIGH
7.5 Jun 09

Remote denial of service in 389 Directory Server (Red Hat Directory Server 11/12/13 and Red Hat Enterprise Linux 6 throu

CVE-2026-11789 MEDIUM
6.5 Jun 09

Denial-of-service in Red Hat's 389 Directory Server allows a highly privileged network attacker to crash the LDAP servic

CVE-2026-11884 MEDIUM
6.5 Jun 10

Heap buffer overflow in Red Hat 389 Directory Server allows an authenticated Directory Manager or a compromised replicat

CVE-2026-11611 MEDIUM
6.5 Jun 08

Denial of service in Red Hat 389 Directory Server's Content Synchronization persistent search plugin enables authenticat

CVE-2026-11786 MEDIUM
6.5 Jun 09

Out-of-bounds read in 389 Directory Server's LDIF parser exposes limited heap memory to a highly privileged local attack

CVE-2026-11787 MEDIUM
6.3 Jun 09

Heap buffer over-read in Red Hat Directory Server's ldap_utf8prev() function exposes LDAP deployments to potential confi

CVE-2026-12528 MEDIUM
5.4 Jun 17

Heap buffer overflow in 389 Directory Server's ACI parsing layer allows an authenticated LDAP user with write access to

CVE-2026-14940 MEDIUM
5.3 Jul 07

Heap-buffer-overflow in 389 Directory Server's DN normalization routine allows an unauthenticated remote attacker to cor

CVE-2026-11791 MEDIUM
5.0 Jun 18

Use-after-free in 389 Directory Server's schema reload path crashes the server when administrative schema reloads race a

CVE-2026-11790 MEDIUM
4.9 Jun 09

Uncontrolled CPU consumption in Red Hat 389 Directory Server's PBKDF2-SHA256 password storage plugin allows a highly pri

Share

EUVD-2026-42213 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy