CVE-2026-11786

Analyzed Analyzed - Analysis Complete

LDIF Parser Out-of-Bounds Read in 389 Directory Server

Publication date: 2026-06-09

Last updated on: 2026-06-12

Assigner: Red Hat, Inc.

Description

A flaw was found in 389 Directory Server. The LDIF parser reads past the end of a heap buffer when processing attribute types with trailing semicolons during database import, causing an out-of-bounds read detectable under memory instrumentation.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-06-09

Last Modified

2026-06-12

Generated

2026-06-30

AI Q&A

2026-06-09

EPSS Evaluated

2026-06-28

NVD

CVE-2026-11786

EUVD

EUVD-2026-35417

Affected Vendors & Products

Vendor	Product	Version / Range
redhat	enterprise_linux	7.0
redhat	enterprise_linux	8.0
redhat	389_directory_server	*
redhat	directory_server	11.0
redhat	enterprise_linux	9.0
redhat	directory_server	12.0
redhat	enterprise_linux	10.0
redhat	directory_server	13.0

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-125	The product reads data past the end, or before the beginning, of the intended buffer.

Attack-Flow Graph

Executive Summary

CVE-2026-11786 is a security flaw in the 389 Directory Server's LDIF parser. Specifically, when importing LDIF data that contains attribute types with trailing semicolons, the parser reads beyond the allocated heap buffer. This happens because the code checks for semicolons and then accesses memory positions without verifying if enough bytes remain, causing an out-of-bounds read.

This vulnerability is detectable under memory instrumentation tools like AddressSanitizer and requires local administrator access to exploit via the ldif2db import tool.

Impact Analysis

The vulnerability allows an out-of-bounds read in memory during LDIF database import, which can lead to memory corruption. Although production binaries may not crash due to allocator padding, the flaw could potentially cause instability or unexpected behavior in the 389 Directory Server.

Exploitation requires local administrator privileges, so the risk is limited to users with high-level access. The impact on confidentiality is low, and there is no direct impact on integrity or availability according to the CVSS score.

Detection Guidance

This vulnerability can be detected by monitoring the behavior of the 389 Directory Server's LDIF import process, specifically when importing LDIF data containing attribute types with trailing semicolons.

Detection is possible under memory instrumentation tools such as AddressSanitizer (ASan), which can identify out-of-bounds reads during the use of the ldif2db import tool.

Since exploitation requires local administrator access and occurs during LDIF import, running the ldif2db import command on instrumented builds with ASan enabled can reveal the issue.

Use AddressSanitizer (ASan) to run the ldif2db import tool on LDIF files containing attribute types with trailing semicolons.
Example command to run ldif2db with ASan instrumentation: `ASAN_OPTIONS=detect_odr_violation=0 ./ldif2db <ldif-file>`

Mitigation Strategies

Immediate mitigation steps include restricting local administrator access to the ldif2db import tool to trusted users only, as exploitation requires local admin privileges.

Avoid importing LDIF data containing attribute types with trailing semicolons until a patched version of 389 Directory Server is applied.

Monitor for updates or patches from the vendor and apply them promptly once available.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Hi! I’m here to help you understand CVE-2026-11786. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70