CVE-2026-11789
Analyzed Analyzed - Analysis Complete

BaseFortify

Publication date: 2026-06-09

Last updated on: 2026-06-12

Assigner: Red Hat, Inc.

Description
A flaw was found in 389 Directory Server. The SMD5 password storage plugin performs unsigned integer underflow when computing salt length from a crafted password hash shorter than 16 bytes, causing a buffer over-read that crashes the LDAP server during authentication.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-09
Last Modified
2026-06-12
Generated
2026-06-30
AI Q&A
2026-06-09
EPSS Evaluated
2026-06-28
NVD
CVE-2026-11789
EUVD
EUVD-2026-35421

Affected Vendors & Products

Showing 8 associated CPEs
Vendor Product Version / Range
redhat enterprise_linux 7.0
redhat enterprise_linux 8.0
redhat 389_directory_server *
redhat directory_server 11.0
redhat enterprise_linux 9.0
redhat directory_server 12.0
redhat enterprise_linux 10.0
redhat directory_server 13.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-191 The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability in CVE-2026-11789 affects the 389 Directory Server's SMD5 password storage plugin. It arises from an integer underflow when calculating the salt length from a crafted password hash that is shorter than 16 bytes. This underflow causes the salt length to wrap around to a very large number, leading to a buffer over-read.

Specifically, the plugin subtracts the fixed MD5 hash length (16 bytes) from the decoded hash length using unsigned 32-bit arithmetic. If the decoded hash length is less than 16 bytes, the subtraction underflows, resulting in a large incorrect salt length. When the system attempts to process this, it reads beyond the intended buffer, causing the LDAP server process (ns-slapd) to crash with a segmentation fault (SIGSEGV).

An attacker with Directory Manager privileges can exploit this by planting a maliciously crafted SMD5 hash. Any subsequent authentication attempt (BIND operation) triggers the crash, causing a denial of service.

Impact Analysis

This vulnerability can cause the 389 Directory Server to crash during authentication attempts, resulting in a denial of service (DoS).

An attacker with Directory Manager privileges can exploit this flaw by inserting a specially crafted SMD5 password hash. This causes the LDAP server to crash whenever a user attempts to authenticate, potentially disrupting services that rely on the directory server for authentication and authorization.

Detection Guidance

This vulnerability causes the ns-slapd process of the 389 Directory Server to crash with a SIGSEGV signal during authentication when a maliciously crafted SMD5 password hash shorter than 16 bytes is used.

To detect this vulnerability on your system, monitor the ns-slapd process for unexpected crashes or segmentation faults, especially during LDAP BIND operations.

You can check system logs (e.g., /var/log/messages, /var/log/syslog, or journalctl) for crash reports related to ns-slapd.

Additionally, you can use commands like:

  • journalctl -u ns-slapd.service --since "1 hour ago" | grep -i segfault
  • grep -i ns-slapd /var/log/messages | grep -i crash
  • ps aux | grep ns-slapd (to check if the process is running)
  • Use LDAP client tools to perform BIND operations and observe if the server crashes, indicating exploitation attempts.
Mitigation Strategies

Immediate mitigation steps include:

  • Restrict Directory Manager privileges to trusted administrators only, as exploitation requires these privileges.
  • Monitor and audit password hashes stored in the 389 Directory Server to detect and remove any SMD5 hashes shorter than 16 bytes.
  • Avoid accepting or processing authentication requests with suspicious or malformed SMD5 password hashes.
  • Apply any available patches or updates from your vendor addressing this vulnerability as soon as they are released.
  • Consider temporarily disabling the SMD5 password storage plugin if feasible until a patch is applied.
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11789. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart