CVE-2025-14905
Heap Buffer Overflow in 389-ds-base Enables Remote Code Execution
Publication date: 2026-02-23
Last updated on: 2026-03-31
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| redhat | 389-ds-base | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-122 | A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc(). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-14905 is a heap buffer overflow vulnerability found in the 389-ds-base server, specifically in the schema_attr_enum_callback function within the schema.c file.
The vulnerability occurs because the code calculates the buffer size by summing the lengths of alias strings but fails to account for additional formatting characters added during printing.
A static buffer size of 256 bytes is used to accommodate this overhead, but when a large number of aliases are processed, the extra 3 bytes per alias exceed this margin, causing a heap overflow.
This flaw can be exploited by a remote attacker to cause a Denial of Service (DoS) or potentially achieve Remote Code Execution (RCE).
How can this vulnerability impact me? :
This vulnerability can impact you by allowing a remote attacker to exploit the heap buffer overflow to cause a Denial of Service (DoS), making the affected service unavailable.
More severely, the attacker may achieve Remote Code Execution (RCE), which could allow them to execute arbitrary code on the affected system with the privileges of the 389-ds-base server.
Such impacts can lead to system compromise, data breaches, or disruption of services relying on the 389-ds-base server.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
The vulnerability affects all Linux systems running the affected versions of the 389-ds-base server. Immediate mitigation involves updating or patching the 389-ds-base package to a version where this heap buffer overflow issue in the schema_attr_enum_callback function has been fixed.
Since the flaw is due to incorrect buffer size calculation when processing a large number of aliases, limiting the number of aliases or disabling vulnerable features temporarily may reduce exposure until a patch is applied.
Monitor official advisories and apply updates before the resolution deadline of February 20, 2026.