CVE-2026-11787
Awaiting Analysis Awaiting Analysis - Queue
Heap Buffer Over-Read in 389 Directory Server

Publication date: 2026-06-09

Last updated on: 2026-06-09

Assigner: Red Hat, Inc.

Description
A flaw was found in 389 Directory Server. The ldap_utf8prev() function reads bytes before the start of a buffer without bounds checking, causing a heap buffer over-read in string filter parsing that may influence internal filter processing behavior.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-09
Last Modified
2026-06-09
Generated
2026-06-09
AI Q&A
2026-06-09
EPSS Evaluated
N/A
NVD
CVE-2026-11787
EUVD
EUVD-2026-35419
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
redhat 389_directory_server *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-126 The product reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations after the targeted buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-11787 is a security vulnerability in the 389 Directory Server, specifically in the ldap_utf8prev() function. This function reads bytes before the start of a buffer without proper bounds checking, causing a heap buffer over-read of up to 6 bytes. This flaw exists because the function lacks a lower-bound parameter and has multiple vulnerable call sites. Although it cannot be triggered through standard LDAP wire protocol, internal components processing attacker-influenced data, such as plugin configurations, ACI definitions, or replication, may be affected.

Impact Analysis

The heap buffer over-read caused by this vulnerability may influence internal filter processing behavior within the 389 Directory Server. While no crashes have been observed in production binaries, the flaw could potentially lead to unexpected behavior or information leakage when processing attacker-controlled data internally. The vulnerability has a medium severity with a CVSS base score of 5.0, indicating a moderate impact on confidentiality, integrity, and availability.

Detection Guidance

This vulnerability involves a heap buffer over-read in the ldap_utf8prev() function within 389 Directory Server, which is not triggered via standard LDAP wire protocol. Detection can be performed by using AddressSanitizer (ASan) to monitor the 389 Directory Server binaries, as it was confirmed using ASan on aarch64 architectures.

Since the vulnerability affects internal callers processing attacker-influenced data such as plugin configuration, ACI definitions, or replication, monitoring or auditing these internal configurations for unusual or malformed data might help in detection.

No specific network commands or standard LDAP queries can directly detect exploitation attempts because BER filters are parsed separately and do not trigger the flaw.

Mitigation Strategies

Immediate mitigation steps include updating the 389 Directory Server to a version where this vulnerability is fixed, as the root cause has been addressed in patches following the report.

Until an update can be applied, restrict or carefully audit any attacker-influenced internal data inputs such as plugin configurations, ACI definitions, and replication data to minimize the risk of triggering the heap buffer over-read.

Additionally, consider running the server with AddressSanitizer enabled in testing environments to detect any potential heap over-read issues.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11787. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart