Red Hat Directory Server 12
Monthly
Heap buffer overflow in Red Hat 389 Directory Server allows an authenticated Directory Manager or a compromised replication supplier to crash the server or corrupt heap memory by creating objectclass definitions with excessively long SUP (oc_superior) values. The flaw exists in schema serialization functions where the SUP field length is excluded from buffer size calculations yet still written via strcat(), producing an off-by-N heap overwrite. This is explicitly an incomplete fix variant of CVE-2025-14905, meaning organizations that patched that prior CVE may remain exposed if the SUP field code path was not remediated; no public exploit has been identified at time of analysis.
Heap buffer overflow in Red Hat Directory Server's audit logging subsystem allows an authenticated high-privilege attacker to corrupt heap memory and tamper with audit log output. The vulnerable function create_masked_entry_string() in auditlog.c writes a fixed-length password mask into a precisely-sized heap buffer without bounds checking, overflowing when a short cleartext password is processed. Exploitation requires two non-default preconditions - audit logging must be enabled AND either CLEAR password storage must be configured or a replication peer must already be compromised - limiting real-world exposure significantly. No public exploit identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.
Stack buffer overflow in 389 Directory Server's pw.c checkPrefix() function allows a network-accessible Directory Manager to crash the LDAP server by storing a crafted credential with an oversized algorithm ID. The vulnerable code copies attacker-controlled input into a fixed 256-byte stack buffer without bounds checking when parsing reversible-encrypted attribute values. FORTIFY_SOURCE compiler hardening constrains impact to denial of service - preventing arbitrary code execution - but service disruption against a critical authentication infrastructure component remains operationally significant. No public exploit identified at time of analysis.
Uncontrolled CPU consumption in Red Hat 389 Directory Server's PBKDF2-SHA256 password storage plugin allows a highly privileged attacker who has write access to stored password hashes to craft a hash embedding an arbitrarily large iteration count, causing the LDAP server to exhaust CPU resources during any subsequent authentication attempt by the targeted user. Affected products span Red Hat Directory Server 11 through 13 and the 389-ds package as shipped across Red Hat Enterprise Linux 6 through 10. No public exploit has been identified at time of analysis, and active exploitation has not been confirmed by CISA KEV.
Denial-of-service in Red Hat's 389 Directory Server allows a highly privileged network attacker to crash the LDAP service by submitting a crafted password hash shorter than 16 bytes during authentication. The SMD5 password storage plugin performs an unsigned integer underflow (CWE-191) when computing salt length from this malformed input, producing a buffer over-read that terminates the server process. No public exploit code exists and this vulnerability has not been confirmed actively exploited (CISA KEV), but the impact is a complete loss of LDAP availability with low attack complexity once the required privilege level is achieved.
Remote denial of service in 389 Directory Server (Red Hat Directory Server 11/12/13 and Red Hat Enterprise Linux 6 through 10) allows unauthenticated network attackers to crash the LDAP daemon by exploiting an unchecked BER structure allocation in the dereference control plugin when the host is under memory pressure. No public exploit identified at time of analysis, and EPSS exploitation probability is very low (0.09%, 25th percentile), but the unauthenticated network-reachable nature warrants prompt patching of internet-facing or business-critical directory services.
Heap buffer over-read in Red Hat Directory Server's ldap_utf8prev() function exposes LDAP deployments to potential confidentiality, integrity, and availability impact via crafted string filter input. The flaw affects authenticated, network-accessible LDAP servers running Red Hat Directory Server 11, 12, and 13 as well as the 389-ds component shipped across Red Hat Enterprise Linux 6 through 10. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV; however, its presence in filter parsing logic - a core LDAP code path - warrants prompt patching in internet-exposed or multi-tenant directory environments.
Partial stack address disclosure in Red Hat 389 Directory Server (versions 11, 12, and 13) allows authenticated remote users to extract memory layout information via crafted LDAP extended operation requests. The root cause is a CWE-843 type confusion in the SSO token extended operation handler, which causes stack pointer data to bleed into LDAP response payloads. While the direct impact is limited to low-confidence information disclosure, leaked stack addresses are a classic ASLR-weakening primitive that could facilitate chained exploitation. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Out-of-bounds read in 389 Directory Server's LDIF parser exposes limited heap memory to a highly privileged local attacker during database import operations. Exploitation requires local system access, high attack complexity, and high privileges (administrator-level), producing only minor confidentiality impact with no integrity or availability consequences. No public exploit identified at time of analysis and no KEV listing; the CVSS score of 1.9 reflects the extremely constrained exploitation conditions, making this a low operational priority absent specific threat model considerations.
Denial of service in Red Hat 389 Directory Server's Content Synchronization persistent search plugin enables authenticated network clients to exhaust server memory by initiating a sync operation and halting consumption of responses, causing unbounded queue growth until the server becomes unavailable. Compounding this, race conditions in the plugin's thread lifecycle management can independently trigger server crashes during connection teardown or graceful shutdown. Affected across Red Hat Directory Server 11, 12, and 13 as well as the bundled 389-ds-base package on RHEL 6 through 10. No public exploit identified at time of analysis and no CISA KEV listing.
Heap buffer overflow in Red Hat 389 Directory Server allows an authenticated Directory Manager or a compromised replication supplier to crash the server or corrupt heap memory by creating objectclass definitions with excessively long SUP (oc_superior) values. The flaw exists in schema serialization functions where the SUP field length is excluded from buffer size calculations yet still written via strcat(), producing an off-by-N heap overwrite. This is explicitly an incomplete fix variant of CVE-2025-14905, meaning organizations that patched that prior CVE may remain exposed if the SUP field code path was not remediated; no public exploit has been identified at time of analysis.
Heap buffer overflow in Red Hat Directory Server's audit logging subsystem allows an authenticated high-privilege attacker to corrupt heap memory and tamper with audit log output. The vulnerable function create_masked_entry_string() in auditlog.c writes a fixed-length password mask into a precisely-sized heap buffer without bounds checking, overflowing when a short cleartext password is processed. Exploitation requires two non-default preconditions - audit logging must be enabled AND either CLEAR password storage must be configured or a replication peer must already be compromised - limiting real-world exposure significantly. No public exploit identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.
Stack buffer overflow in 389 Directory Server's pw.c checkPrefix() function allows a network-accessible Directory Manager to crash the LDAP server by storing a crafted credential with an oversized algorithm ID. The vulnerable code copies attacker-controlled input into a fixed 256-byte stack buffer without bounds checking when parsing reversible-encrypted attribute values. FORTIFY_SOURCE compiler hardening constrains impact to denial of service - preventing arbitrary code execution - but service disruption against a critical authentication infrastructure component remains operationally significant. No public exploit identified at time of analysis.
Uncontrolled CPU consumption in Red Hat 389 Directory Server's PBKDF2-SHA256 password storage plugin allows a highly privileged attacker who has write access to stored password hashes to craft a hash embedding an arbitrarily large iteration count, causing the LDAP server to exhaust CPU resources during any subsequent authentication attempt by the targeted user. Affected products span Red Hat Directory Server 11 through 13 and the 389-ds package as shipped across Red Hat Enterprise Linux 6 through 10. No public exploit has been identified at time of analysis, and active exploitation has not been confirmed by CISA KEV.
Denial-of-service in Red Hat's 389 Directory Server allows a highly privileged network attacker to crash the LDAP service by submitting a crafted password hash shorter than 16 bytes during authentication. The SMD5 password storage plugin performs an unsigned integer underflow (CWE-191) when computing salt length from this malformed input, producing a buffer over-read that terminates the server process. No public exploit code exists and this vulnerability has not been confirmed actively exploited (CISA KEV), but the impact is a complete loss of LDAP availability with low attack complexity once the required privilege level is achieved.
Remote denial of service in 389 Directory Server (Red Hat Directory Server 11/12/13 and Red Hat Enterprise Linux 6 through 10) allows unauthenticated network attackers to crash the LDAP daemon by exploiting an unchecked BER structure allocation in the dereference control plugin when the host is under memory pressure. No public exploit identified at time of analysis, and EPSS exploitation probability is very low (0.09%, 25th percentile), but the unauthenticated network-reachable nature warrants prompt patching of internet-facing or business-critical directory services.
Heap buffer over-read in Red Hat Directory Server's ldap_utf8prev() function exposes LDAP deployments to potential confidentiality, integrity, and availability impact via crafted string filter input. The flaw affects authenticated, network-accessible LDAP servers running Red Hat Directory Server 11, 12, and 13 as well as the 389-ds component shipped across Red Hat Enterprise Linux 6 through 10. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV; however, its presence in filter parsing logic - a core LDAP code path - warrants prompt patching in internet-exposed or multi-tenant directory environments.
Partial stack address disclosure in Red Hat 389 Directory Server (versions 11, 12, and 13) allows authenticated remote users to extract memory layout information via crafted LDAP extended operation requests. The root cause is a CWE-843 type confusion in the SSO token extended operation handler, which causes stack pointer data to bleed into LDAP response payloads. While the direct impact is limited to low-confidence information disclosure, leaked stack addresses are a classic ASLR-weakening primitive that could facilitate chained exploitation. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Out-of-bounds read in 389 Directory Server's LDIF parser exposes limited heap memory to a highly privileged local attacker during database import operations. Exploitation requires local system access, high attack complexity, and high privileges (administrator-level), producing only minor confidentiality impact with no integrity or availability consequences. No public exploit identified at time of analysis and no KEV listing; the CVSS score of 1.9 reflects the extremely constrained exploitation conditions, making this a low operational priority absent specific threat model considerations.
Denial of service in Red Hat 389 Directory Server's Content Synchronization persistent search plugin enables authenticated network clients to exhaust server memory by initiating a sync operation and halting consumption of responses, causing unbounded queue growth until the server becomes unavailable. Compounding this, race conditions in the plugin's thread lifecycle management can independently trigger server crashes during connection teardown or graceful shutdown. Affected across Red Hat Directory Server 11, 12, and 13 as well as the bundled 389-ds-base package on RHEL 6 through 10. No public exploit identified at time of analysis and no CISA KEV listing.