CVE-2026-11788
Undergoing Analysis Undergoing Analysis - In Progress
BaseFortify

Publication date: 2026-06-09

Last updated on: 2026-06-09

Assigner: Red Hat, Inc.

Description
A flaw was found in 389 Directory Server. The dereference control plugin does not check for allocation failure before using a BER structure, allowing an unauthenticated remote attacker to crash the LDAP server when the system is under memory pressure.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-09
Last Modified
2026-06-09
Generated
2026-06-09
AI Q&A
2026-06-09
EPSS Evaluated
N/A
NVD
CVE-2026-11788
EUVD
EUVD-2026-35420
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
redhat 389_directory_server From 1.2.6 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-11788 is a vulnerability in the 389 Directory Server's dereference control plugin. The flaw occurs because the plugin does not check if memory allocation for a BER structure fails before using it. Specifically, the function `deref_parse_ctrl_value()` calls `ber_init()` but does not verify if it returns NULL. This allows an unauthenticated remote attacker to send a specially crafted LDAP search request with the deref control, which can cause the LDAP server process (`ns-slapd`) to crash when the system is under memory pressure.

The deref plugin is enabled by default and this vulnerable code has existed since version 1.2.6 of 389-ds-base, introduced around 2010.

Impact Analysis

This vulnerability can be exploited by an unauthenticated attacker to cause a denial of service (DoS) by crashing the LDAP server process. When the server crashes, it becomes unavailable to legitimate users and services relying on it for directory services, potentially disrupting authentication, authorization, and other directory-dependent operations.

Detection Guidance

This vulnerability can be detected by monitoring for crashes or abnormal terminations of the ns-slapd process, which is the LDAP server process for 389 Directory Server.

Since the issue occurs when an unauthenticated LDAP client sends a search request with the deref control under memory pressure, you can look for crash logs or core dumps indicating SIGABRT or SIGSEGV signals related to ns-slapd.

To detect attempts to exploit this vulnerability, you can monitor LDAP search requests that include the dereference control.

Suggested commands to help detect the vulnerability or its exploitation attempts include:

  • Check for ns-slapd crashes in system logs: `journalctl -u 389-ds.service --since "1 hour ago" | grep -i "segfault\|abort"`
  • Monitor LDAP traffic for search requests with deref control using tcpdump or tshark: `tcpdump -i <interface> -s 0 -w ldap_traffic.pcap port 389` and then analyze with Wireshark or tshark for deref control presence.
  • Check running version of 389 Directory Server to identify if it is older than version 1.2.6 where the vulnerable plugin was introduced.
Mitigation Strategies

Immediate mitigation steps include:

  • Apply any available patches or updates from your vendor that address this vulnerability.
  • If patching is not immediately possible, consider disabling the dereference control plugin in the 389 Directory Server configuration to prevent exploitation.
  • Monitor system memory usage and ensure the server is not under memory pressure, as the vulnerability is triggered under such conditions.
  • Restrict unauthenticated LDAP search requests or implement network-level controls to limit access to the LDAP server.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11788. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart