CVE-2026-9064
Analyzed Analyzed - Analysis Complete
Heap Exhaustion in 389 Directory Server

Publication date: 2026-05-20

Last updated on: 2026-06-02

Assigner: Red Hat, Inc.

Description
A flaw was found in 389-ds-base. The get_ldapmessage_controls_ext() function in the LDAP server does not enforce an upper bound on the number of controls per LDAP message. A remote, unauthenticated attacker can send a specially crafted LDAP request containing hundreds of thousands of minimal controls within the default maximum BER message size (2 MB), causing excessive CPU consumption and heap allocation on the server. Under concurrent exploitation, this leads to significant latency degradation, worker thread starvation, or out-of-memory termination, resulting in a denial of service.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-20
Last Modified
2026-06-02
Generated
2026-06-10
AI Q&A
2026-05-20
EPSS Evaluated
2026-06-08
NVD
CVE-2026-9064
EUVD
EUVD-2026-31079
Affected Vendors & Products
Showing 9 associated CPEs
Vendor Product Version / Range
redhat enterprise_linux 9.0
redhat enterprise_linux 7.0
redhat enterprise_linux 6.0
redhat enterprise_linux 8.0
redhat 389_directory_server *
redhat directory_server 11.0
redhat directory_server 12.0
redhat enterprise_linux 10.0
redhat directory_server 13.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-9064 is a vulnerability in the 389 Directory Server (389-ds-base) where the function get_ldapmessage_controls_ext() does not limit the number of controls in an LDAP message.

A remote, unauthenticated attacker can send an LDAP request containing hundreds of thousands of minimal controls within the allowed message size, causing excessive CPU consumption and heap memory allocation on the server.

This leads to significant latency degradation, worker thread starvation, or out-of-memory termination, resulting in a denial of service.

Impact Analysis

This vulnerability can cause a denial-of-service (DoS) condition on the affected LDAP server.

  • Excessive CPU usage leading to server performance degradation.
  • Heap memory exhaustion causing out-of-memory termination.
  • Worker thread starvation resulting in significant latency and timeouts.

Since the attack can be performed remotely and without authentication, it poses a serious risk to availability.

Detection Guidance

This vulnerability can be detected by monitoring for unusual LDAP traffic patterns, specifically LDAP requests containing an abnormally high number of controls per message. Network or system administrators should look for LDAP messages that include hundreds of thousands of minimal controls, which is not typical behavior.

Detection can also involve observing server performance metrics such as CPU usage, memory consumption, latency, and worker thread availability. Significant latency spikes, timeouts, or out-of-memory conditions on the LDAP server may indicate exploitation attempts.

While no specific commands are provided in the resources, administrators can use network monitoring tools like tcpdump or Wireshark to capture LDAP traffic and filter for LDAP control messages. For example, a tcpdump command to capture LDAP traffic might be:

  • tcpdump -i <interface> port 389 -w ldap_traffic.pcap

Subsequently, analyzing the captured traffic with Wireshark or similar tools can help identify LDAP messages with an unusually high number of controls.

Additionally, monitoring server logs and performance metrics for signs of excessive CPU or memory usage during LDAP requests can help detect exploitation attempts.

Mitigation Strategies

Immediate mitigation steps include applying any available patches or updates provided by the vendor to fix the vulnerability in the 389 Directory Server.

If patches are not immediately available, administrators should consider implementing network-level protections such as rate limiting or filtering LDAP requests to block or limit requests with excessive controls.

Monitoring and alerting on unusual LDAP traffic patterns and server resource usage can help detect and respond to exploitation attempts quickly.

Restricting access to the LDAP server from untrusted networks or sources can reduce the attack surface, as the vulnerability can be exploited remotely without authentication.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9064. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart