389-ds Base Static IV Attack (AES-CBC/3DES-CBC)
CVE-2026-14969 Published on July 7, 2026
389-ds-base: 389-ds-base: static initialization vector in aes-cbc/3des-cbc attribute encryption
A flaw was found in 389-ds-base where the LDBM backend attribute encryption uses a hardcoded static initialization vector for AES-CBC and 3DES-CBC operations, allowing an attacker with privileged filesystem access to detect plaintext equality across encrypted entries by comparing ciphertext blocks.
Vulnerability Analysis
CVE-2026-14969 can be exploited with local system access, and requires user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.
Timeline
Reported to Red Hat.
Made public.
Weakness Type
Not Using an Unpredictable IV with CBC Mode
Not using an unpredictable initialization Vector (IV) with Cipher Block Chaining (CBC) Mode causes algorithms to be susceptible to dictionary attacks when they are encrypted under the same key.
Products Associated with CVE-2026-14969
stack.watch emails you whenever new vulnerabilities are published in Red Hat Directory Server or Red Hat Enterprise Linux (RHEL). Just hit a watch button to start following.