CVE-2026-11791
Received Received - Intake
BaseFortify

Publication date: 2026-06-18

Last updated on: 2026-06-18

Assigner: Red Hat, Inc.

Description
A flaw was found in 389 Directory Server. During schema reload, the attr_syntax_swap_ht() function unconditionally frees attribute syntax information nodes, bypassing the refcount-based deferred deletion used elsewhere in the attribute syntax subsystem. If an administrator triggers schema reload while concurrent LDAP query traffic is active, worker threads may access freed memory, resulting in use-after-free or double-free and a denial of service (server crash).
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-18
Last Modified
2026-06-18
Generated
2026-06-19
AI Q&A
2026-06-18
EPSS Evaluated
N/A
NVD
CVE-2026-11791
EUVD
EUVD-2026-37902
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
redhat 389_directory_server *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-11791 is a use-after-free vulnerability in the 389 Directory Server that occurs during schema reload operations.

The problem arises because the function attr_syntax_swap_ht() unconditionally frees attribute syntax information nodes without using the usual reference-count-based deferred deletion method employed elsewhere in the code.

If an administrator triggers a schema reload while LDAP queries are actively running, worker threads may try to access memory that has already been freed, leading to use-after-free or double-free errors.

This can cause the server to crash due to segmentation faults (SIGSEGV).

The vulnerability is related to a race condition during schema reload and is exacerbated by a memory leak in another function that mishandles reference counts.

Impact Analysis

This vulnerability can lead to a denial of service (DoS) condition by causing the 389 Directory Server to crash.

If an attacker or administrator triggers a schema reload while LDAP queries are active, the server may experience use-after-free or double-free errors, resulting in worker threads accessing invalid memory.

The resulting crashes can disrupt directory services, potentially impacting authentication, authorization, and other LDAP-dependent operations.

Detection Guidance

This vulnerability can be detected by monitoring for crashes or SIGSEGV errors in the 389 Directory Server during schema reload operations while LDAP queries are active.

To reproduce or detect the issue, an administrator can trigger a schema reload using the command `dsconf schema reload` or by modifying the LDAP schema at `cn=schema,cn=config` while concurrent LDAP queries are running.

Using environment variable `MALLOC_PERTURB_=170` during testing can help in controlled reproduction of the use-after-free condition.

Mitigation Strategies

Immediate mitigation involves avoiding triggering schema reload operations while LDAP query traffic is active, as the vulnerability occurs during concurrent schema reload and LDAP queries.

Administrators should apply any available patches or updates that address this issue once released, as the flaw is due to improper memory management in the `attr_syntax_swap_ht()` function.

Until a fix is applied, schedule schema reloads during maintenance windows with minimal or no LDAP query activity to prevent server crashes.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11791. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart