CVE-2026-11788

Analyzed Analyzed - Analysis Complete

BaseFortify

Publication date: 2026-06-09

Last updated on: 2026-06-12

Assigner: Red Hat, Inc.

Description

A flaw was found in 389 Directory Server. The dereference control plugin does not check for allocation failure before using a BER structure, allowing an unauthenticated remote attacker to crash the LDAP server when the system is under memory pressure.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-06-09

Last Modified

2026-06-12

Generated

2026-06-30

AI Q&A

2026-06-09

EPSS Evaluated

2026-06-28

NVD

CVE-2026-11788

EUVD

EUVD-2026-35420

Affected Vendors & Products

Vendor	Product	Version / Range
redhat	enterprise_linux	7.0
redhat	enterprise_linux	8.0
redhat	389_directory_server	*
redhat	directory_server	11.0
redhat	enterprise_linux	9.0
redhat	directory_server	12.0
redhat	enterprise_linux	10.0
redhat	directory_server	13.0

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-476	The product dereferences a pointer that it expects to be valid but is NULL.

Attack-Flow Graph

Executive Summary

CVE-2026-11788 is a vulnerability in the 389 Directory Server's dereference control plugin. The flaw occurs because the plugin does not check if memory allocation for a BER structure fails before using it. Specifically, the function `deref_parse_ctrl_value()` calls `ber_init()` but does not verify if it returns NULL. This allows an unauthenticated remote attacker to send a specially crafted LDAP search request with the deref control, which can cause the LDAP server process (`ns-slapd`) to crash when the system is under memory pressure.

The deref plugin is enabled by default and this vulnerable code has existed since version 1.2.6 of 389-ds-base, introduced around 2010.

Impact Analysis

This vulnerability can be exploited by an unauthenticated attacker to cause a denial of service (DoS) by crashing the LDAP server process. When the server crashes, it becomes unavailable to legitimate users and services relying on it for directory services, potentially disrupting authentication, authorization, and other directory-dependent operations.

Detection Guidance

This vulnerability can be detected by monitoring for crashes or abnormal terminations of the ns-slapd process, which is the LDAP server process for 389 Directory Server.

Since the issue occurs when an unauthenticated LDAP client sends a search request with the deref control under memory pressure, you can look for crash logs or core dumps indicating SIGABRT or SIGSEGV signals related to ns-slapd.

To detect attempts to exploit this vulnerability, you can monitor LDAP search requests that include the dereference control.

Suggested commands to help detect the vulnerability or its exploitation attempts include:

Check for ns-slapd crashes in system logs: `journalctl -u 389-ds.service --since "1 hour ago" | grep -i "segfault\|abort"`
Monitor LDAP traffic for search requests with deref control using tcpdump or tshark: `tcpdump -i <interface> -s 0 -w ldap_traffic.pcap port 389` and then analyze with Wireshark or tshark for deref control presence.
Check running version of 389 Directory Server to identify if it is older than version 1.2.6 where the vulnerable plugin was introduced.

Mitigation Strategies

Immediate mitigation steps include:

Apply any available patches or updates from your vendor that address this vulnerability.
If patching is not immediately possible, consider disabling the dereference control plugin in the 389 Directory Server configuration to prevent exploitation.
Monitor system memory usage and ensure the server is not under memory pressure, as the vulnerability is triggered under such conditions.
Restrict unauthenticated LDAP search requests or implement network-level controls to limit access to the LDAP server.

Hi! I’m here to help you understand CVE-2026-11788. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70