CVE-2026-11790

Analyzed Analyzed - Analysis Complete

PBKDF2-SHA256 Password Hash Iteration DoS in 389 Directory Server

Publication date: 2026-06-09

Last updated on: 2026-06-12

Assigner: Red Hat, Inc.

Description

A flaw was found in 389 Directory Server. The PBKDF2-SHA256 password storage plugin does not enforce an upper bound on the iteration count extracted from stored password hashes. A privileged attacker who can modify a user's password hash can cause excessive CPU consumption during authentication, resulting in denial of service.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-06-09

Last Modified

2026-06-12

Generated

2026-06-30

AI Q&A

2026-06-09

EPSS Evaluated

2026-06-28

NVD

CVE-2026-11790

EUVD

EUVD-2026-35422

Affected Vendors & Products

Vendor	Product	Version / Range
redhat	enterprise_linux	7.0
redhat	enterprise_linux	8.0
redhat	directory_server	11.0
redhat	enterprise_linux	9.0
redhat	directory_server	12.0
redhat	enterprise_linux	10.0
redhat	directory_server	13.0
redhat	389_directory_server	1.3.6.0

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-400	The product does not properly control the allocation and maintenance of a limited resource.

Attack-Flow Graph

Executive Summary

CVE-2026-11790 is a vulnerability in the 389 Directory Server's PBKDF2-SHA256 password storage plugin. The flaw is that the plugin does not enforce an upper limit on the iteration count extracted from stored password hashes.

A privileged attacker with Directory Manager rights can modify a user's password hash to include an extremely high iteration count. When the server attempts to authenticate using this malicious hash, it consumes excessive CPU resources, causing worker threads to hang and resulting in a denial of service.

Both the C and Rust implementations of the plugin are affected, and this issue was introduced in version 1.3.6 of 389-ds-base.

Impact Analysis

This vulnerability can lead to a denial of service (DoS) condition on the 389 Directory Server.

An attacker with privileged access can cause the server to consume excessive CPU resources during authentication, which can hang worker threads for extended periods.

This results in the server being unable to process legitimate authentication requests, potentially disrupting services that rely on the directory server for authentication.

Detection Guidance

This vulnerability can be detected by monitoring for unusually high CPU consumption on the 389 Directory Server during LDAP BIND operations, especially when authentication attempts involve accounts with potentially malicious password hashes.

Since the issue arises when a privileged attacker modifies a user's password hash to have an extremely high iteration count, detection involves checking password hashes for abnormally large iteration counts.

Specific commands are not provided in the resources, but administrators can inspect password hashes stored in the 389 Directory Server for iteration counts that exceed normal expected values.

Mitigation Strategies

Immediate mitigation involves restricting privileged access to the Directory Manager account to prevent attackers from inserting malicious password hashes with excessive iteration counts.

Monitoring and limiting CPU usage on the server during LDAP BIND operations can help detect and reduce the impact of denial of service attempts.

Applying any available patches or updates that enforce an upper bound on the iteration count in the PBKDF2-SHA256 password storage plugin is recommended once they are released.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Hi! I’m here to help you understand CVE-2026-11790. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70