CVE-2026-11774
Awaiting Analysis Awaiting Analysis - Queue

Integer Overflow in 389 Directory Server Leading to Heap Buffer Overflow

Vulnerability report for CVE-2026-11774, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-11

Last updated on: 2026-06-30

Assigner: Red Hat, Inc.

Description

An integer overflow flaw was found in the SASL I/O layer of 389 Directory Server (389-ds-base). In sasl_io_start_packet(), adding sizeof(uint32_t) to a crafted SASL packet length prefix of 0xFFFFFFFC causes unsigned wraparound to zero, bypassing the nsslapd-maxsasliosize limit and leading to a heap buffer overflow of up to approximately 2 megabytes of attacker-controlled data. After a successful SASL bind with integrity protection (SSF > 0), a remote attacker can cause a Denial of Service (DoS) or achieve Remote Code Execution (RCE). In FreeIPA and Red Hat Identity Management deployments, any domain user with a valid Kerberos ticket, enrolled host, or service account can trigger this vulnerability over the network. This flaw is independent of CVE-2025-14905, which patched schema.c only and did not modify sasl_io.c.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-11
Last Modified
2026-06-30
Generated
2026-07-02
AI Q&A
2026-06-12
EPSS Evaluated
2026-06-30
NVD
EUVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
red_hat 389_directory_server From 8.0 (inc)
red_hat 389_directory_server From 7.0 (inc)
red_hat freeipa *
red_hat red_hat_identity_management *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-190 The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-11774 is an integer overflow vulnerability in the SASL I/O layer of the 389 Directory Server (389-ds-base). It occurs when a specially crafted SASL packet with a length prefix of 0xFFFFFFFC is processed, causing an unsigned integer wraparound to zero in the sasl_io_start_packet() function. This bypasses the configured maximum SASL I/O packet size limit (nsslapd-maxsasliosize) and leads to a heap buffer overflow of up to approximately 2 megabytes of attacker-controlled data.

After a successful SASL bind with integrity protection, a remote attacker who is authenticated can exploit this flaw to cause a Denial of Service (DoS) or potentially achieve Remote Code Execution (RCE). The vulnerability affects FreeIPA and Red Hat Identity Management deployments, where any domain user with a valid Kerberos ticket, enrolled host, or service account can trigger the issue remotely.

Compliance Impact

The vulnerability in the 389 Directory Server SASL I/O layer allows authenticated users to cause a denial of service or potentially achieve remote code execution. This could lead to unauthorized access or disruption of directory services that manage user authentication and identity information.

Such unauthorized access or service disruption could impact compliance with standards and regulations like GDPR and HIPAA, which require protection of personal data and system availability. Specifically, the risk of remote code execution or denial of service could lead to data breaches or service outages, violating confidentiality, integrity, and availability requirements.

However, the provided information does not explicitly detail compliance impacts or mitigation measures related to these standards.

Impact Analysis

This vulnerability can have serious impacts including causing a Denial of Service (DoS) by crashing the LDAP server, which disrupts directory services and authentication processes.

More critically, on certain older platforms such as Red Hat Enterprise Linux 8 with glibc 2.28, it can be exploited to achieve Remote Code Execution (RCE), allowing an attacker to run arbitrary code on the affected server.

Since the vulnerability can be triggered remotely by any authenticated domain user with a valid Kerberos ticket or service account, it poses a significant risk in environments using FreeIPA or Red Hat Identity Management.

Detection Guidance

Detection of this vulnerability involves monitoring for abnormal SASL packet lengths and unexpected crashes or behavior in the 389 Directory Server (389-ds-base). Specifically, look for SASL packets with a length prefix of 0xFFFFFFFC, which triggers the integer overflow.

Since the vulnerability is triggered by specially crafted SASL packets, network traffic analysis tools can be used to inspect LDAP SASL bind requests for suspicious packet sizes.

Commands to help detect potential exploitation attempts might include:

  • Using tcpdump or Wireshark to capture and filter LDAP traffic, for example: tcpdump -i <interface> -s 0 -w ldap_capture.pcap port 389
  • Analyzing captured packets in Wireshark to inspect SASL bind requests for unusually large or suspicious length prefixes.
  • Checking server logs for crashes or abnormal terminations of the 389 Directory Server process.
  • Using system monitoring tools to detect unexpected process restarts or high memory usage that could indicate exploitation attempts.
Mitigation Strategies

Immediate mitigation steps include restricting access to the 389 Directory Server to trusted users only, especially limiting SASL bind operations to trusted domain users.

Since the vulnerability requires authenticated SASL binds, enforcing stricter authentication policies and monitoring for unusual SASL bind activity can reduce risk.

Applying any available patches or updates from the vendor as soon as they are released is critical.

If patching is not immediately possible, consider temporarily disabling SASL authentication or limiting the maximum SASL I/O size settings if configurable, to reduce the attack surface.

Monitoring server stability and logs for signs of exploitation attempts and preparing incident response plans are also recommended.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11774. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart