Executive Summary

CVE-2026-11785 is a security vulnerability in the 389 Directory Server's SSO token handler. It is caused by a type confusion bug in the function extop_handle_ldapssotoken_request(), where a stack pointer is incorrectly treated as an integer. This results in partial stack address information being leaked in LDAP responses to authenticated users.

Specifically, the low 32 bits of a stack address are encoded into every SSO token LDAP extended operation response, which can be exploited by an authenticated non-administrator user to obtain partial stack address data.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an authenticated user to leak partial stack address information from the server. While it does not provide a full bypass of security mechanisms, it reduces the effectiveness of stack address space layout randomization (ASLR).

Reducing ASLR entropy can make it easier for attackers to perform further exploitation, potentially increasing the risk of successful attacks against the system.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves the leakage of partial stack address information in LDAP responses to authenticated users when the SSO token extended operation is used.

To detect this vulnerability, you can monitor LDAP extended operation responses related to the SSO token for unexpected integer values that may represent leaked stack addresses.

Since the issue occurs in the extop_handle_ldapssotoken_request() function, you can attempt to authenticate as a non-administrator user and issue LDAP extended operation requests for the SSO token, then inspect the responses for suspicious integer values.

Specific commands are not provided in the resources, but using ldapsearch or similar LDAP client tools to perform SSO token extended operation requests and analyzing the responses for leaked stack address integers could help detect the issue.

Useful 0 Not Useful 0

Mitigation Strategies

The vulnerability is caused by a type confusion bug in the SSO token handler that leaks partial stack address information.

Immediate mitigation steps include disabling the SSO token feature if it is not required, as it is enabled by default with an auto-generated secret.

Additionally, applying any available patches or updates from the vendor that address this specific issue is recommended.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability causes partial stack address information to be disclosed to authenticated users, which can reduce the effectiveness of stack ASLR (Address Space Layout Randomization) and potentially aid attackers in further exploitation.

While the information leak is partial and does not provide a full bypass, it still represents a security risk that could impact the confidentiality of sensitive data.

Such a security risk may affect compliance with standards and regulations like GDPR and HIPAA, which require protection of sensitive information and implementation of appropriate security controls to prevent unauthorized data disclosure.

Therefore, organizations using the affected 389 Directory Server should consider this vulnerability in their risk assessments and remediation plans to maintain compliance.

Useful 0 Not Useful 0