CVE-2026-11790
Undergoing Analysis Undergoing Analysis - In Progress
PBKDF2-SHA256 Password Hash Iteration DoS in 389 Directory Server

Publication date: 2026-06-09

Last updated on: 2026-06-09

Assigner: Red Hat, Inc.

Description
A flaw was found in 389 Directory Server. The PBKDF2-SHA256 password storage plugin does not enforce an upper bound on the iteration count extracted from stored password hashes. A privileged attacker who can modify a user's password hash can cause excessive CPU consumption during authentication, resulting in denial of service.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-09
Last Modified
2026-06-09
Generated
2026-06-09
AI Q&A
2026-06-09
EPSS Evaluated
N/A
NVD
CVE-2026-11790
EUVD
EUVD-2026-35422
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
redhat 389_directory_server *
redhat 389_directory_server From 1.3.6 (inc)
redhat 389_directory_server 1.3.6
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-11790 is a vulnerability in the 389 Directory Server's PBKDF2-SHA256 password storage plugin. The flaw is that the plugin does not enforce an upper limit on the iteration count extracted from stored password hashes.

A privileged attacker with Directory Manager rights can modify a user's password hash to include an extremely high iteration count. When the server attempts to authenticate using this malicious hash, it consumes excessive CPU resources, causing worker threads to hang and resulting in a denial of service.

Both the C and Rust implementations of the plugin are affected, and this issue was introduced in version 1.3.6 of 389-ds-base.

Impact Analysis

This vulnerability can lead to a denial of service (DoS) condition on the 389 Directory Server.

An attacker with privileged access can cause the server to consume excessive CPU resources during authentication, which can hang worker threads for extended periods.

This results in the server being unable to process legitimate authentication requests, potentially disrupting services that rely on the directory server for authentication.

Detection Guidance

This vulnerability can be detected by monitoring for unusually high CPU consumption on the 389 Directory Server during LDAP BIND operations, especially when authentication attempts involve accounts with potentially malicious password hashes.

Since the issue arises when a privileged attacker modifies a user's password hash to have an extremely high iteration count, detection involves checking password hashes for abnormally large iteration counts.

Specific commands are not provided in the resources, but administrators can inspect password hashes stored in the 389 Directory Server for iteration counts that exceed normal expected values.

Mitigation Strategies

Immediate mitigation involves restricting privileged access to the Directory Manager account to prevent attackers from inserting malicious password hashes with excessive iteration counts.

Monitoring and limiting CPU usage on the server during LDAP BIND operations can help detect and reduce the impact of denial of service attempts.

Applying any available patches or updates that enforce an upper bound on the iteration count in the PBKDF2-SHA256 password storage plugin is recommended once they are released.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11790. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart