Red Hat Directory Server

389-Ds SASL_IO Integer Overflow: DoS/RCE via Crafted Packet
CVE-2026-11774 7.6 - High - June 11, 2026

An integer overflow flaw was found in the SASL I/O layer of 389 Directory Server (389-ds-base). In sasl_io_start_packet(), adding sizeof(uint32_t) to a crafted SASL packet length prefix of 0xFFFFFFFC causes unsigned wraparound to zero, bypassing the nsslapd-maxsasliosize limit and leading to a heap buffer overflow of up to approximately 2 megabytes of attacker-controlled data. After a successful SASL bind with integrity protection (SSF > 0), a remote attacker can cause a Denial of Service (DoS) or achieve Remote Code Execution (RCE). In FreeIPA and Red Hat Identity Management deployments, any domain user with a valid Kerberos ticket, enrolled host, or service account can trigger this vulnerability over the network. This flaw is independent of CVE-2025-14905, which patched schema.c only and did not modify sasl_io.c.

Integer Overflow or Wraparound

389 DS Heap Buffer Overflow via OC_SUP Field Length Omission
CVE-2026-11884 6.5 - Medium - June 10, 2026

A heap buffer overflow flaw was found in 389 Directory Server. When serializing objectclass definitions, the oc_superior (SUP) field length is omitted from buffer size calculations in read_schema_dse() and schema_oc_to_string(), but the field is still written via strcat(). An attacker with Directory Manager privileges, or a compromised replication supplier, can trigger a server crash by creating objectclasses with long SUP values. This is an incomplete fix variant of CVE-2025-14905.

Heap-based Buffer Overflow

389 DS Heap Buffer Overflow in auditlog.c
CVE-2026-11792 3.3 - Low - June 09, 2026

A heap buffer overflow flaw was found in 389 Directory Server. When audit logging is enabled, the create_masked_entry_string() function in auditlog.c copies a fixed-length password mask into a precisely-sized heap buffer without checking available space. If a short cleartext password is logged (requiring non-default CLEAR password storage or a compromised replication peer), the copy overflows the buffer, corrupting heap memory and audit log output.

Heap-based Buffer Overflow

389 Directory Server stack buffer overflow in pw.c
CVE-2026-11793 4.9 - Medium - June 09, 2026

A stack buffer overflow flaw was found in 389 Directory Server. The checkPrefix() function in pw.c copies an attacker-controlled algorithm ID into a 256-byte stack buffer without bounds checking when parsing reversible-encrypted attribute values. An attacker with Directory Manager privileges can crash the LDAP server by storing a crafted credential with an oversized algorithm ID. FORTIFY_SOURCE mitigates this to denial of service only.

Stack Overflow

389 DS PBKDF2 SHA256 Iteration Unbounded, CPU DoS Exploit
CVE-2026-11790 4.9 - Medium - June 09, 2026

A flaw was found in 389 Directory Server. The PBKDF2-SHA256 password storage plugin does not enforce an upper bound on the iteration count extracted from stored password hashes. A privileged attacker who can modify a user's password hash can cause excessive CPU consumption during authentication, resulting in denial of service.

Resource Exhaustion

389 DS SMD5 Plugin UInt Underflow Buffer Over-read Crashes LDAP
CVE-2026-11789 4.9 - Medium - June 09, 2026

A flaw was found in 389 Directory Server. The SMD5 password storage plugin performs unsigned integer underflow when computing salt length from a crafted password hash shorter than 16 bytes, causing a buffer over-read that crashes the LDAP server during authentication.

Integer underflow

389 Directory Server Plugin Crash via Deref Control
CVE-2026-11788 5.9 - Medium - June 09, 2026

A flaw was found in 389 Directory Server. The dereference control plugin does not check for allocation failure before using a BER structure, allowing an unauthenticated remote attacker to crash the LDAP server when the system is under memory pressure.

NULL Pointer Dereference

389 Directory Server Heap Overread in LDAP Filter Parsing
CVE-2026-11787 5 - Medium - June 09, 2026

A flaw was found in 389 Directory Server. The ldap_utf8prev() function reads bytes before the start of a buffer without bounds checking, causing a heap buffer over-read in string filter parsing that may influence internal filter processing behavior.

Buffer Over-read

389 DS Type Confusion Leak LDAP Auth Response
CVE-2026-11785 4.3 - Medium - June 09, 2026

A flaw was found in 389 Directory Server. A type confusion in the SSO token extended operation handler causes partial stack address information to be disclosed in LDAP responses to authenticated users.

Object Type Confusion

389 DS LDIF Parser OOB Read
CVE-2026-11786 1.9 - Low - June 09, 2026

A flaw was found in 389 Directory Server. The LDIF parser reads past the end of a heap buffer when processing attribute types with trailing semicolons during database import, causing an out-of-bounds read detectable under memory instrumentation.

Out-of-bounds Read

389 DS CS-Persistent Search Overuse: Unbounded Memory DoS
CVE-2026-11611 6.5 - Medium - June 08, 2026

A flaw was found in 389 Directory Server. The Content Synchronization persistent search plugin allows unbounded memory growth when an authenticated client stops reading sync responses, enabling denial of service. Additional race conditions in plugin thread lifecycle can cause crashes during connection teardown or shutdown.

Resource Exhaustion

389-DS LDAP DoS: Unbounded Controls Enable Remote Overload
CVE-2026-9064 7.5 - High - May 20, 2026

A flaw was found in 389-ds-base. The get_ldapmessage_controls_ext() function in the LDAP server does not enforce an upper bound on the number of controls per LDAP message. A remote, unauthenticated attacker can send a specially crafted LDAP request containing hundreds of thousands of minimal controls within the default maximum BER message size (2 MB), causing excessive CPU consumption and heap allocation on the server. Under concurrent exploitation, this leads to significant latency degradation, worker thread starvation, or out-of-memory termination, resulting in a denial of service.

Allocation of Resources Without Limits or Throttling

389-ds-base Heap Buffer Overflow in schema_attr_enum_callback
CVE-2025-14905 7.2 - High - February 23, 2026

A flaw was found in the 389-ds-base server. A heap buffer overflow vulnerability exists in the `schema_attr_enum_callback` function within the `schema.c` file. This occurs because the code incorrectly calculates the buffer size by summing alias string lengths without accounting for additional formatting characters. When a large number of aliases are processed, this oversight can lead to a heap overflow, potentially allowing a remote attacker to cause a Denial of Service (DoS) or achieve Remote Code Execution (RCE).

Heap-based Buffer Overflow

crossbeam-channel: Drop race may lead to double-free (CVE-2025-4574)
CVE-2025-4574 6.5 - Medium - May 13, 2025

In crossbeam-channel rust crate, the internal `Channel` type's `Drop` method has a race condition which could, in some circumstances, lead to a double-free that could result in memory corruption.

Double-free

OpenSSL Use-After-Free via properties arg leads to UDB
CVE-2025-3416 3.7 - Low - April 08, 2025

A flaw was found in OpenSSL's handling of the properties argument in certain functions. This vulnerability can allow use-after-free exploitation, which may result in undefined behavior or incorrect property parsing, leading to OpenSSL treating the input as an empty string.

Dangling pointer

Apache Directory Server 389-ds-base ModifyDN NULL Pointer DoS
CVE-2025-2487 4.9 - Medium - March 18, 2025

A flaw was found in the 389-ds-base LDAP Server. This issue occurs when issuing a Modify DN LDAP operation through the ldap protocol, when the function return value is not tested and a NULL pointer is dereferenced. If a privileged user performs a ldap MODDN operation after a failed operation, it could lead to a Denial of Service (DoS) or system crash.

NULL Pointer Dereference

389DS Crash via Malformed userPassword Input
CVE-2024-8445 5.7 - Medium - September 05, 2024

The fix for CVE-2024-2199 in 389-ds-base was insufficient to cover all scenarios. In certain product versions, an authenticated user may cause a server crash while modifying `userPassword` using malformed input.

Improper Input Validation

CVE-2024-6237: 389 Directory Server Unauth Extended Search DoS
CVE-2024-6237 6.5 - Medium - July 09, 2024

A flaw was found in the 389 Directory Server. This flaw allows an unauthenticated user to cause a systematic server crash while sending a specific extended search request, leading to a denial of service.

Improper Handling of Missing Values

389-ds-base LDAP DoS via Malformed Hash Login
CVE-2024-5953 5.7 - Medium - June 18, 2024

A denial of service vulnerability was found in the 389-ds-base LDAP server. This issue may allow an authenticated user to cause a server denial of service while attempting to log in with a user with a malformed hash in their password.

Improper Validation of Consistency within Input

389 DS LDAP Crafted Query DoS
CVE-2024-3657 7.5 - High - May 28, 2024

A flaw was found in 389-ds-base. A specially-crafted LDAP query can potentially cause a failure on the directory server, leading to a denial of service

Improper Input Validation

389 DS LDAP Auth DoS via Malformed userPassword Mod
CVE-2024-2199 5.7 - Medium - May 28, 2024

A denial of service vulnerability was found in 389-ds-base ldap server. This issue may allow an authenticated user to cause a server crash while modifying `userPassword` using malformed input.

Improper Input Validation

389 Directory Server DOS via Heap Overflow in log_entry_attr
CVE-2024-1062 5.5 - Medium - February 12, 2024

A heap overflow flaw was found in 389-ds-base. This issue leads to a denial of service when writing a value larger than 256 chars in log_entry_attr.

Heap-based Buffer Overflow

Red Hat Directory Server LDAP password decode flaw leaks hashed creds
CVE-2023-1055 5.5 - Medium - February 27, 2023

A flaw was found in RHDS 11 and RHDS 12. While browsing entries LDAP tries to decode the userPassword attribute instead of the userCertificate attribute which could lead into sensitive information leaked. An attacker with a local account where the cockpit-389-ds is running can list the processes and display the hashed passwords. The highest threat from this vulnerability is to data confidentiality.

Improper Certificate Validation

389 Directory Server NULL Pointer Deref via ContentSync Plugin DoS
CVE-2022-2850 6.5 - Medium - October 14, 2022

A flaw was found In 389-ds-base. When the Content Synchronization plugin is enabled, an authenticated user can reach a NULL pointer dereference using a specially crafted query. This flaw allows an authenticated attacker to cause a denial of service. This CVE is assigned against an incomplete fix of CVE-2021-3514.

NULL Pointer Dereference

An access control bypass vulnerability found in 389-ds-base
CVE-2022-1949 7.5 - High - June 02, 2022

An access control bypass vulnerability found in 389-ds-base. That mishandling of the filter that would yield incorrect results, but as that has progressed, can be determined that it actually is an access control bypass. This may allow any remote unauthenticated user to issue a filter that allows searching for database items they do not have access to, including but not limited to potentially userPassword hashes and other sensitive data.

Insecure Direct Object Reference / IDOR

When binding against a DN during authentication, the reply from 389-ds-base will be different whether the DN exists or not
CVE-2020-35518 5.3 - Medium - March 26, 2021

When binding against a DN during authentication, the reply from 389-ds-base will be different whether the DN exists or not. This can be used by an unauthenticated attacker to check the existence of an entry in the LDAP database.

Side Channel Attack

Red Hat Directory Server 8 and 389 Directory Server, when debugging is enabled
CVE-2014-3562 - August 21, 2014

Red Hat Directory Server 8 and 389 Directory Server, when debugging is enabled, allows remote attackers to obtain sensitive replicated metadata by searching the directory.

Buffer overflow in the regular expression handler in Red Hat Directory Server 8.0 and 7.1 before SP6 allows remote attackers to cause a denial of service (slapd crash) and possibly execute arbitrary code via a crafted LDAP query
CVE-2008-1677 - May 12, 2008

Buffer overflow in the regular expression handler in Red Hat Directory Server 8.0 and 7.1 before SP6 allows remote attackers to cause a denial of service (slapd crash) and possibly execute arbitrary code via a crafted LDAP query that triggers the overflow during translation to a regular expression.

The replication monitor CGI script (repl-monitor-cgi.pl) in Red Hat Administration Server, as used by Red Hat Directory Server 8.0 EL4 and EL5
CVE-2008-0892 - April 16, 2008

The replication monitor CGI script (repl-monitor-cgi.pl) in Red Hat Administration Server, as used by Red Hat Directory Server 8.0 EL4 and EL5, allows remote attackers to execute arbitrary commands.

Improper Input Validation