CVE-2026-9064
Heap Exhaustion in 389 Directory Server
Publication date: 2026-05-20
Last updated on: 2026-05-20
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| red_hat | 389_directory_server | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-9064 is a vulnerability in the 389 Directory Server (389-ds-base) where the function get_ldapmessage_controls_ext() does not limit the number of controls in an LDAP message.
A remote, unauthenticated attacker can send an LDAP request containing hundreds of thousands of minimal controls within the allowed message size, causing excessive CPU consumption and heap memory allocation on the server.
This leads to significant latency degradation, worker thread starvation, or out-of-memory termination, resulting in a denial of service.
How can this vulnerability impact me? :
This vulnerability can cause a denial-of-service (DoS) condition on the affected LDAP server.
- Excessive CPU usage leading to server performance degradation.
- Heap memory exhaustion causing out-of-memory termination.
- Worker thread starvation resulting in significant latency and timeouts.
Since the attack can be performed remotely and without authentication, it poses a serious risk to availability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unusual LDAP traffic patterns, specifically LDAP requests containing an abnormally high number of controls per message. Network or system administrators should look for LDAP messages that include hundreds of thousands of minimal controls, which is not typical behavior.
Detection can also involve observing server performance metrics such as CPU usage, memory consumption, latency, and worker thread availability. Significant latency spikes, timeouts, or out-of-memory conditions on the LDAP server may indicate exploitation attempts.
While no specific commands are provided in the resources, administrators can use network monitoring tools like tcpdump or Wireshark to capture LDAP traffic and filter for LDAP control messages. For example, a tcpdump command to capture LDAP traffic might be:
- tcpdump -i <interface> port 389 -w ldap_traffic.pcap
Subsequently, analyzing the captured traffic with Wireshark or similar tools can help identify LDAP messages with an unusually high number of controls.
Additionally, monitoring server logs and performance metrics for signs of excessive CPU or memory usage during LDAP requests can help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying any available patches or updates provided by the vendor to fix the vulnerability in the 389 Directory Server.
If patches are not immediately available, administrators should consider implementing network-level protections such as rate limiting or filtering LDAP requests to block or limit requests with excessive controls.
Monitoring and alerting on unusual LDAP traffic patterns and server resource usage can help detect and respond to exploitation attempts quickly.
Restricting access to the LDAP server from untrusted networks or sources can reduce the attack surface, as the vulnerability can be exploited remotely without authentication.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.