Red Hat Directory Server
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Red Hat Directory Server.
Recent Red Hat Directory Server Security Advisories
| Advisory | Title | Published |
|---|---|---|
| RHSA-2026:27125 | (RHSA-2026:27125) Red Hat Directory Server 13.2 container image update | June 18, 2026 |
| RHSA-2026:3379 | (RHSA-2026:3379) Red Hat Directory Server 13.1 container image available as a Technology Preview | February 25, 2026 |
By the Year
In 2026 there have been 25 vulnerabilities in Red Hat Directory Server with an average score of 6.1 out of ten. Last year, in 2025 Directory Server had 3 security vulnerabilities published. That is, 22 more vulnerabilities have already been reported in 2026 as compared to last year. However, the average CVE base score of the vulnerabilities in 2026 is greater by 1.04.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 25 | 6.08 |
| 2025 | 3 | 5.03 |
| 2024 | 6 | 6.10 |
| 2023 | 1 | 5.50 |
| 2022 | 2 | 7.00 |
| 2021 | 1 | 5.30 |
It may take a day or so for new Directory Server vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Red Hat Directory Server Security Vulnerabilities
389 Directory Server PBKDF2SHA256 Timing Attack via NonConstant Memcmp
CVE-2026-15041
3.7 - Low
- July 08, 2026
A flaw was found in 389 Directory Server. The PBKDF2-SHA256 password verification function uses standard memcmp() for comparing password hashes instead of a constant-time comparison function. A remote attacker could potentially use timing measurements of LDAP bind attempts to infer partial hash information, though practical exploitation is extremely difficult due to PBKDF2 computational overhead.
Observable Timing Discrepancy
389-ds Base Static IV Attack (AES-CBC/3DES-CBC)
CVE-2026-14969
4.4 - Medium
- July 07, 2026
A flaw was found in 389-ds-base where the LDBM backend attribute encryption uses a hardcoded static initialization vector for AES-CBC and 3DES-CBC operations, allowing an attacker with privileged filesystem access to detect plaintext equality across encrypted entries by comparing ciphertext blocks.
Not Using an Unpredictable IV with CBC Mode
Heap Buffer Overflow in 389Directory Server DN Normalization
CVE-2026-14940
5.3 - Medium
- July 07, 2026
A heap-buffer-overflow flaw was found in 389 Directory Server (389-ds-base). When normalizing a Distinguished Name (DN) that contains a legacy-quoted value encoding a multivalued nested Relative Distinguished Name (RDN), the server can write past the end of a heap allocation while sorting RDN attribute-value pairs. An unauthenticated remote attacker can trigger this condition by sending an LDAP operation whose DN reaches the DN normalization routine, such as a search with a crafted base DN. This can corrupt heap memory and may cause denial of service.
Heap-based Buffer Overflow
389-ds-base 1.3.2+ Heap Buffer Overflow via oversized LDAP UNBIND
CVE-2026-11610
8.8 - High
- July 07, 2026
A heap buffer overflow flaw was found in the SASL I/O layer of 389 Directory Server (389-ds-base). After a successful SASL bind with integrity protection (SSF > 0), an authenticated attacker can send a specially crafted oversized LDAP UNBIND packet that is copied into a 512-byte heap receive buffer without a bounds check in sasl_io_recv() in sasl_io.c. This allows up to approximately 2 megabytes of attacker-controlled data to overflow the buffer, causing a denial of service (server crash). In FreeIPA and Red Hat Identity Management deployments, any domain user with a valid Kerberos ticket, any enrolled host, or any service account can trigger this vulnerability over the network after authenticating via GSSAPI. The vulnerable code path has existed since approximately 2013 (389-ds-base 1.3.2) and was not addressed by the CVE-2025-14905 fix, which patched a separate heap overflow in schema.c only.
Heap-based Buffer Overflow
389 DS Use-After-Free via Unref'd Attr_Syntax Swap during Schema Reload
CVE-2026-11791
5 - Medium
- June 18, 2026
A flaw was found in 389 Directory Server. During schema reload, the attr_syntax_swap_ht() function unconditionally frees attribute syntax information nodes, bypassing the refcount-based deferred deletion used elsewhere in the attribute syntax subsystem. If an administrator triggers schema reload while concurrent LDAP query traffic is active, worker threads may access freed memory, resulting in use-after-free or double-free and a denial of service (server crash).
Dangling pointer
389 Directory Server heap buffer overflow in aclparse.c
CVE-2026-12528
5.4 - Medium
- June 17, 2026
A flaw was found in 389 Directory Server in the __aclp__normalize_acltxt() function of aclparse.c. A malformed ACI (Access Control Instruction) string can trigger heap-buffer-overflow writes and reads during ACI parsing. The function fails to validate that the ACI keyword has sufficient length after whitespace stripping, leading to a 1-byte out-of-bounds write and subsequent out-of-bounds reads. An authenticated user with write access to the aci attribute could send a crafted ACI value to silently corrupt heap memory in the directory server process.
Memory Corruption
389-Ds SASL_IO Integer Overflow: DoS/RCE via Crafted Packet
CVE-2026-11774
7.6 - High
- June 11, 2026
An integer overflow flaw was found in the SASL I/O layer of 389 Directory Server (389-ds-base). In sasl_io_start_packet(), adding sizeof(uint32_t) to a crafted SASL packet length prefix of 0xFFFFFFFC causes unsigned wraparound to zero, bypassing the nsslapd-maxsasliosize limit and leading to a heap buffer overflow of up to approximately 2 megabytes of attacker-controlled data. After a successful SASL bind with integrity protection (SSF > 0), a remote attacker can cause a Denial of Service (DoS) or achieve Remote Code Execution (RCE). In FreeIPA and Red Hat Identity Management deployments, any domain user with a valid Kerberos ticket, enrolled host, or service account can trigger this vulnerability over the network. This flaw is independent of CVE-2025-14905, which patched schema.c only and did not modify sasl_io.c.
Integer Overflow or Wraparound
389 DS Heap Buffer Overflow via OC_SUP Field Length Omission
CVE-2026-11884
6.5 - Medium
- June 10, 2026
A heap buffer overflow flaw was found in 389 Directory Server. When serializing objectclass definitions, the oc_superior (SUP) field length is omitted from buffer size calculations in read_schema_dse() and schema_oc_to_string(), but the field is still written via strcat(). An attacker with Directory Manager privileges, or a compromised replication supplier, can trigger a server crash by creating objectclasses with long SUP values. This is an incomplete fix variant of CVE-2025-14905.
Heap-based Buffer Overflow
389 DS Heap Buffer Overflow in auditlog.c
CVE-2026-11792
3.3 - Low
- June 09, 2026
A heap buffer overflow flaw was found in 389 Directory Server. When audit logging is enabled, the create_masked_entry_string() function in auditlog.c copies a fixed-length password mask into a precisely-sized heap buffer without checking available space. If a short cleartext password is logged (requiring non-default CLEAR password storage or a compromised replication peer), the copy overflows the buffer, corrupting heap memory and audit log output.
Heap-based Buffer Overflow
389 Directory Server stack buffer overflow in pw.c
CVE-2026-11793
4.9 - Medium
- June 09, 2026
A stack buffer overflow flaw was found in 389 Directory Server. The checkPrefix() function in pw.c copies an attacker-controlled algorithm ID into a 256-byte stack buffer without bounds checking when parsing reversible-encrypted attribute values. An attacker with Directory Manager privileges can crash the LDAP server by storing a crafted credential with an oversized algorithm ID. FORTIFY_SOURCE mitigates this to denial of service only.
Stack Overflow
389 DS PBKDF2 SHA256 Iteration Unbounded, CPU DoS Exploit
CVE-2026-11790
4.9 - Medium
- June 09, 2026
A flaw was found in 389 Directory Server. The PBKDF2-SHA256 password storage plugin does not enforce an upper bound on the iteration count extracted from stored password hashes. A privileged attacker who can modify a user's password hash can cause excessive CPU consumption during authentication, resulting in denial of service.
Resource Exhaustion
389 DS SMD5 Plugin UInt Underflow Buffer Over-read Crashes LDAP
CVE-2026-11789
4.9 - Medium
- June 09, 2026
A flaw was found in 389 Directory Server. The SMD5 password storage plugin performs unsigned integer underflow when computing salt length from a crafted password hash shorter than 16 bytes, causing a buffer over-read that crashes the LDAP server during authentication.
Integer underflow
389 Directory Server Plugin Crash via Deref Control
CVE-2026-11788
5.9 - Medium
- June 09, 2026
A flaw was found in 389 Directory Server. The dereference control plugin does not check for allocation failure before using a BER structure, allowing an unauthenticated remote attacker to crash the LDAP server when the system is under memory pressure.
NULL Pointer Dereference
389 Directory Server Heap Overread in LDAP Filter Parsing
CVE-2026-11787
5 - Medium
- June 09, 2026
A flaw was found in 389 Directory Server. The ldap_utf8prev() function reads bytes before the start of a buffer without bounds checking, causing a heap buffer over-read in string filter parsing that may influence internal filter processing behavior.
Buffer Over-read
389 DS LDIF Parser OOB Read
CVE-2026-11786
1.9 - Low
- June 09, 2026
A flaw was found in 389 Directory Server. The LDIF parser reads past the end of a heap buffer when processing attribute types with trailing semicolons during database import, causing an out-of-bounds read detectable under memory instrumentation.
Out-of-bounds Read
389 DS Type Confusion Leak LDAP Auth Response
CVE-2026-11785
4.3 - Medium
- June 09, 2026
A flaw was found in 389 Directory Server. A type confusion in the SSO token extended operation handler causes partial stack address information to be disclosed in LDAP responses to authenticated users.
Object Type Confusion
389 DS CS-Persistent Search Overuse: Unbounded Memory DoS
CVE-2026-11611
6.5 - Medium
- June 08, 2026
A flaw was found in 389 Directory Server. The Content Synchronization persistent search plugin allows unbounded memory growth when an authenticated client stops reading sync responses, enabling denial of service. Additional race conditions in plugin thread lifecycle can cause crashes during connection teardown or shutdown.
Resource Exhaustion
389-DS LDAP DoS: Unbounded Controls Enable Remote Overload
CVE-2026-9064
7.5 - High
- May 20, 2026
A flaw was found in 389-ds-base. The get_ldapmessage_controls_ext() function in the LDAP server does not enforce an upper bound on the number of controls per LDAP message. A remote, unauthenticated attacker can send a specially crafted LDAP request containing hundreds of thousands of minimal controls within the default maximum BER message size (2 MB), causing excessive CPU consumption and heap allocation on the server. Under concurrent exploitation, this leads to significant latency degradation, worker thread starvation, or out-of-memory termination, resulting in a denial of service.
Allocation of Resources Without Limits or Throttling
Lodash <4.18.0 _.template key-names RCE
CVE-2026-4800
8.1 - High
- March 31, 2026
Impact: The fix for CVE-2021-23337 (https://github.com/advisories/GHSA-35jh-r3h4-6jhm) added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink. When an application passes untrusted input as options.imports key names, an attacker can inject default-parameter expressions that execute arbitrary code at template compilation time. Additionally, _.template uses assignInWith to merge imports, which enumerates inherited properties via for..in. If Object.prototype has been polluted by any other vector, the polluted keys are copied into the imports object and passed to Function(). Patches: Users should upgrade to version 4.18.0. Workarounds: Do not pass untrusted input as key names in options.imports. Only use developer-controlled, static key names.
Code Injection
Prototype Pollution via __proto__ in flatted prior to 3.4.2
CVE-2026-33228
9.8 - Critical
- March 20, 2026
flatted is a circular JSON parser. Prior to version 3.4.2, the parse() function in flatted can use attacker-controlled string values from the parsed JSON as direct array index keys, without validating that they are numeric. Since the internal input buffer is a JavaScript Array, accessing it with the key "__proto__" returns Array.prototype via the inherited getter. This object is then treated as a legitimate parsed value and assigned as a property of the output object, effectively leaking a live reference to Array.prototype to the consumer. Any code that subsequently writes to that property will pollute the global prototype. This issue has been patched in version 3.4.2.
Prototype Pollution
flatted <=3.3.0 Recursion Stack Overflow in parse()
CVE-2026-32141
7.5 - High
- March 12, 2026
flatted is a circular JSON parser. Prior to 3.4.0, flatted's parse() function uses a recursive revive() phase to resolve circular references in deserialized JSON. When given a crafted payload with deeply nested or self-referential $ indices, the recursion depth is unbounded, causing a stack overflow that crashes the Node.js process. This vulnerability is fixed in 3.4.0.
Stack Exhaustion
389-ds-base Heap Buffer Overflow in schema_attr_enum_callback
CVE-2025-14905
7.2 - High
- February 23, 2026
A flaw was found in the 389-ds-base server. A heap buffer overflow vulnerability exists in the `schema_attr_enum_callback` function within the `schema.c` file. This occurs because the code incorrectly calculates the buffer size by summing alias string lengths without accounting for additional formatting characters. When a large number of aliases are processed, this oversight can lead to a heap overflow, potentially allowing a remote attacker to cause a Denial of Service (DoS) or achieve Remote Code Execution (RCE).
Heap-based Buffer Overflow
CVE-2025-69873: ajv 8.17.1 ReDoS via $data regex injection
CVE-2025-69873
7.5 - High
- February 11, 2026
ajv (Another JSON Schema Validator) before 8.18.0 is vulnerable to Regular Expression Denial of Service (ReDoS) when the $data option is enabled. The pattern keyword accepts runtime data via JSON Pointer syntax ($data reference), which is passed directly to the JavaScript RegExp() constructor without validation. An attacker can inject a malicious regex pattern (e.g., "^(a|a)*$") combined with crafted input to cause catastrophic backtracking. A 31-character payload causes approximately 44 seconds of CPU blocking, with each additional character doubling execution time. This enables complete denial of service with a single HTTP request against any API using ajv with $data: true for dynamic schema validation. This issue is also fixed in version 6.14.0.
ReDoS
Prototype Pollution via _.unset/.omit in Lodash 4.17.22
CVE-2025-13465
8.2 - High
- January 21, 2026
Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes. The issue permits deletion of properties but does not allow overwriting their original behavior. This issue is patched on 4.17.23
Prototype Pollution
PLY 3.11 RCE via unvalidated picklefile in yacc()
CVE-2025-56005
7.8 - High
- January 20, 2026
An undocumented and unsafe feature in the PLY (Python Lex-Yacc) library 3.11 allows Remote Code Execution (RCE) via the `picklefile` parameter in the `yacc()` function. This parameter accepts a `.pkl` file that is deserialized with `pickle.load()` without validation. Because `pickle` allows execution of embedded code via `__reduce__()`, an attacker can achieve code execution by passing a malicious pickle file. The parameter is not mentioned in official documentation or the GitHub repository, yet it is active in the PyPI version. This introduces a stealthy backdoor and persistence risk. NOTE: A third-party states that this vulnerability should be rejected because the proof of concept does not demonstrate arbitrary code execution and fails to complete successfully.
Marshaling, Unmarshaling
crossbeam-channel: Drop race may lead to double-free (CVE-2025-4574)
CVE-2025-4574
6.5 - Medium
- May 13, 2025
In crossbeam-channel rust crate, the internal `Channel` type's `Drop` method has a race condition which could, in some circumstances, lead to a double-free that could result in memory corruption.
Double-free
OpenSSL Use-After-Free via properties arg leads to UDB
CVE-2025-3416
3.7 - Low
- April 08, 2025
A flaw was found in OpenSSL's handling of the properties argument in certain functions. This vulnerability can allow use-after-free exploitation, which may result in undefined behavior or incorrect property parsing, leading to OpenSSL treating the input as an empty string.
Dangling pointer
Apache Directory Server 389-ds-base ModifyDN NULL Pointer DoS
CVE-2025-2487
4.9 - Medium
- March 18, 2025
A flaw was found in the 389-ds-base LDAP Server. This issue occurs when issuing a Modify DN LDAP operation through the ldap protocol, when the function return value is not tested and a NULL pointer is dereferenced. If a privileged user performs a ldap MODDN operation after a failed operation, it could lead to a Denial of Service (DoS) or system crash.
NULL Pointer Dereference
389DS Crash via Malformed userPassword Input
CVE-2024-8445
5.7 - Medium
- September 05, 2024
The fix for CVE-2024-2199 in 389-ds-base was insufficient to cover all scenarios. In certain product versions, an authenticated user may cause a server crash while modifying `userPassword` using malformed input.
Improper Input Validation
CVE-2024-6237: 389 Directory Server Unauth Extended Search DoS
CVE-2024-6237
6.5 - Medium
- July 09, 2024
A flaw was found in the 389 Directory Server. This flaw allows an unauthenticated user to cause a systematic server crash while sending a specific extended search request, leading to a denial of service.
Improper Handling of Missing Values
389-ds-base LDAP DoS via Malformed Hash Login
CVE-2024-5953
5.7 - Medium
- June 18, 2024
A denial of service vulnerability was found in the 389-ds-base LDAP server. This issue may allow an authenticated user to cause a server denial of service while attempting to log in with a user with a malformed hash in their password.
Improper Validation of Consistency within Input
389 DS LDAP Crafted Query DoS
CVE-2024-3657
7.5 - High
- May 28, 2024
A flaw was found in 389-ds-base. A specially-crafted LDAP query can potentially cause a failure on the directory server, leading to a denial of service
Improper Input Validation
389 DS LDAP Auth DoS via Malformed userPassword Mod
CVE-2024-2199
5.7 - Medium
- May 28, 2024
A denial of service vulnerability was found in 389-ds-base ldap server. This issue may allow an authenticated user to cause a server crash while modifying `userPassword` using malformed input.
Improper Input Validation
389 Directory Server DOS via Heap Overflow in log_entry_attr
CVE-2024-1062
5.5 - Medium
- February 12, 2024
A heap overflow flaw was found in 389-ds-base. This issue leads to a denial of service when writing a value larger than 256 chars in log_entry_attr.
Heap-based Buffer Overflow
Red Hat Directory Server LDAP password decode flaw leaks hashed creds
CVE-2023-1055
5.5 - Medium
- February 27, 2023
A flaw was found in RHDS 11 and RHDS 12. While browsing entries LDAP tries to decode the userPassword attribute instead of the userCertificate attribute which could lead into sensitive information leaked. An attacker with a local account where the cockpit-389-ds is running can list the processes and display the hashed passwords. The highest threat from this vulnerability is to data confidentiality.
Improper Certificate Validation
389 Directory Server NULL Pointer Deref via ContentSync Plugin DoS
CVE-2022-2850
6.5 - Medium
- October 14, 2022
A flaw was found In 389-ds-base. When the Content Synchronization plugin is enabled, an authenticated user can reach a NULL pointer dereference using a specially crafted query. This flaw allows an authenticated attacker to cause a denial of service. This CVE is assigned against an incomplete fix of CVE-2021-3514.
NULL Pointer Dereference
An access control bypass vulnerability found in 389-ds-base
CVE-2022-1949
7.5 - High
- June 02, 2022
An access control bypass vulnerability found in 389-ds-base. That mishandling of the filter that would yield incorrect results, but as that has progressed, can be determined that it actually is an access control bypass. This may allow any remote unauthenticated user to issue a filter that allows searching for database items they do not have access to, including but not limited to potentially userPassword hashes and other sensitive data.
Insecure Direct Object Reference / IDOR
When binding against a DN during authentication, the reply from 389-ds-base will be different whether the DN exists or not
CVE-2020-35518
5.3 - Medium
- March 26, 2021
When binding against a DN during authentication, the reply from 389-ds-base will be different whether the DN exists or not. This can be used by an unauthenticated attacker to check the existence of an entry in the LDAP database.
Side Channel Attack
Red Hat Directory Server 8 and 389 Directory Server, when debugging is enabled
CVE-2014-3562
- August 21, 2014
Red Hat Directory Server 8 and 389 Directory Server, when debugging is enabled, allows remote attackers to obtain sensitive replicated metadata by searching the directory.
Buffer overflow in the regular expression handler in Red Hat Directory Server 8.0 and 7.1 before SP6 allows remote attackers to cause a denial of service (slapd crash) and possibly execute arbitrary code via a crafted LDAP query
CVE-2008-1677
- May 12, 2008
Buffer overflow in the regular expression handler in Red Hat Directory Server 8.0 and 7.1 before SP6 allows remote attackers to cause a denial of service (slapd crash) and possibly execute arbitrary code via a crafted LDAP query that triggers the overflow during translation to a regular expression.
The replication monitor CGI script (repl-monitor-cgi.pl) in Red Hat Administration Server, as used by Red Hat Directory Server 8.0 EL4 and EL5
CVE-2008-0892
- April 16, 2008
The replication monitor CGI script (repl-monitor-cgi.pl) in Red Hat Administration Server, as used by Red Hat Directory Server 8.0 EL4 and EL5, allows remote attackers to execute arbitrary commands.
Improper Input Validation
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Red Hat Directory Server or by Red Hat? Click the Watch button to subscribe.