CVE-2026-11786
Undergoing Analysis Undergoing Analysis - In Progress
LDIF Parser Out-of-Bounds Read in 389 Directory Server

Publication date: 2026-06-09

Last updated on: 2026-06-09

Assigner: Red Hat, Inc.

Description
A flaw was found in 389 Directory Server. The LDIF parser reads past the end of a heap buffer when processing attribute types with trailing semicolons during database import, causing an out-of-bounds read detectable under memory instrumentation.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-09
Last Modified
2026-06-09
Generated
2026-06-09
AI Q&A
2026-06-09
EPSS Evaluated
N/A
NVD
CVE-2026-11786
EUVD
EUVD-2026-35417
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
redhat 389_directory_server *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-11786 is a security flaw in the 389 Directory Server's LDIF parser. Specifically, when importing LDIF data that contains attribute types with trailing semicolons, the parser reads beyond the allocated heap buffer. This happens because the code checks for semicolons and then accesses memory positions without verifying if enough bytes remain, causing an out-of-bounds read.

This vulnerability is detectable under memory instrumentation tools like AddressSanitizer and requires local administrator access to exploit via the ldif2db import tool.

Impact Analysis

The vulnerability allows an out-of-bounds read in memory during LDIF database import, which can lead to memory corruption. Although production binaries may not crash due to allocator padding, the flaw could potentially cause instability or unexpected behavior in the 389 Directory Server.

Exploitation requires local administrator privileges, so the risk is limited to users with high-level access. The impact on confidentiality is low, and there is no direct impact on integrity or availability according to the CVSS score.

Detection Guidance

This vulnerability can be detected by monitoring the behavior of the 389 Directory Server's LDIF import process, specifically when importing LDIF data containing attribute types with trailing semicolons.

Detection is possible under memory instrumentation tools such as AddressSanitizer (ASan), which can identify out-of-bounds reads during the use of the ldif2db import tool.

Since exploitation requires local administrator access and occurs during LDIF import, running the ldif2db import command on instrumented builds with ASan enabled can reveal the issue.

  • Use AddressSanitizer (ASan) to run the ldif2db import tool on LDIF files containing attribute types with trailing semicolons.
  • Example command to run ldif2db with ASan instrumentation: `ASAN_OPTIONS=detect_odr_violation=0 ./ldif2db <ldif-file>`
Mitigation Strategies

Immediate mitigation steps include restricting local administrator access to the ldif2db import tool to trusted users only, as exploitation requires local admin privileges.

Avoid importing LDIF data containing attribute types with trailing semicolons until a patched version of 389 Directory Server is applied.

Monitor for updates or patches from the vendor and apply them promptly once available.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11786. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart