389-DS LDAP DoS: Unbounded Controls Enable Remote Overload
CVE-2026-9064 Published on May 20, 2026
389-ds-base: 389-ds-base: unbounded ldap controls count in get_ldapmessage_controls_ext() causes cpu and heap amplification (remote dos)
A flaw was found in 389-ds-base. The get_ldapmessage_controls_ext() function in the LDAP server does not enforce an upper bound on the number of controls per LDAP message. A remote, unauthenticated attacker can send a specially crafted LDAP request containing hundreds of thousands of minimal controls within the default maximum BER message size (2 MB), causing excessive CPU consumption and heap allocation on the server. Under concurrent exploitation, this leads to significant latency degradation, worker thread starvation, or out-of-memory termination, resulting in a denial of service.
Vulnerability Analysis
CVE-2026-9064 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.
Timeline
Reported to Red Hat.
Made public. 76 days later.
Weakness Type
Allocation of Resources Without Limits or Throttling
The software allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.
Products Associated with CVE-2026-9064
Want to know whenever a new CVE is published for Red Hat products? stack.watch will email you.
Affected Versions
Red Hat Directory Server 11.5 E4S for RHEL 8:- Version 8060020260609102432.0ca98e7e and below * is unaffected.
- Version 8080020260610130252.f969626e and below * is unaffected.
- Version 8100020260601104139.37ed7c03 and below * is unaffected.
- Version 9020020260615123354.1674d574 and below * is unaffected.
- Version 9040020260611130021.1674d574 and below * is unaffected.
- Version 0:3.2.0-7.el10_2 and below * is unaffected.
- Version 0:3.0.6-18.el10_0 and below * is unaffected.
- Version 0:1.3.11.1-12.el7_9 and below * is unaffected.
- Version 8100020260601102239.25e700aa and below * is unaffected.
- Version 8040020260609102422.96015a92 and below * is unaffected.
- Version 8040020260609102422.96015a92 and below * is unaffected.
- Version 8060020260609102416.824efc52 and below * is unaffected.
- Version 8060020260609102416.824efc52 and below * is unaffected.
- Version 8080020260610125847.6dbb3803 and below * is unaffected.
- Version 8080020260610125847.6dbb3803 and below * is unaffected.
- Version 0:2.8.0-7.el9_8 and below * is unaffected.
- Version 0:2.2.4-18.el9_2 and below * is unaffected.
- Version 0:2.4.5-25.el9_4 and below * is unaffected.
- Version 0:2.6.1-21.el9_6 and below * is unaffected.
- Version 1781714123 and below * is unaffected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.