CVE-2026-11791
Modified Modified - Updated After Analysis

BaseFortify

Vulnerability report for CVE-2026-11791, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-18

Last updated on: 2026-06-30

Assigner: Red Hat, Inc.

Description

A flaw was found in 389 Directory Server. During schema reload, the attr_syntax_swap_ht() function unconditionally frees attribute syntax information nodes, bypassing the refcount-based deferred deletion used elsewhere in the attribute syntax subsystem. If an administrator triggers schema reload while concurrent LDAP query traffic is active, worker threads may access freed memory, resulting in use-after-free or double-free and a denial of service (server crash).

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-18
Last Modified
2026-06-30
Generated
2026-07-09
AI Q&A
2026-06-18
EPSS Evaluated
2026-07-08
NVD
EUVD

Affected Vendors & Products

Showing 8 associated CPEs
Vendor Product Version / Range
redhat enterprise_linux 7.0
redhat enterprise_linux 8.0
redhat 389_directory_server *
redhat directory_server 11.0
redhat enterprise_linux 9.0
redhat directory_server 12.0
redhat enterprise_linux 10.0
redhat directory_server 13.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-11791 is a use-after-free vulnerability in the 389 Directory Server that occurs during schema reload operations.

The problem arises because the function attr_syntax_swap_ht() unconditionally frees attribute syntax information nodes without using the usual reference-count-based deferred deletion method employed elsewhere in the code.

If an administrator triggers a schema reload while LDAP queries are actively running, worker threads may try to access memory that has already been freed, leading to use-after-free or double-free errors.

This can cause the server to crash due to segmentation faults (SIGSEGV).

The vulnerability is related to a race condition during schema reload and is exacerbated by a memory leak in another function that mishandles reference counts.

Impact Analysis

This vulnerability can lead to a denial of service (DoS) condition by causing the 389 Directory Server to crash.

If an attacker or administrator triggers a schema reload while LDAP queries are active, the server may experience use-after-free or double-free errors, resulting in worker threads accessing invalid memory.

The resulting crashes can disrupt directory services, potentially impacting authentication, authorization, and other LDAP-dependent operations.

Detection Guidance

This vulnerability can be detected by monitoring for crashes or SIGSEGV errors in the 389 Directory Server during schema reload operations while LDAP queries are active.

To reproduce or detect the issue, an administrator can trigger a schema reload using the command `dsconf schema reload` or by modifying the LDAP schema at `cn=schema,cn=config` while concurrent LDAP queries are running.

Using environment variable `MALLOC_PERTURB_=170` during testing can help in controlled reproduction of the use-after-free condition.

Mitigation Strategies

Immediate mitigation involves avoiding triggering schema reload operations while LDAP query traffic is active, as the vulnerability occurs during concurrent schema reload and LDAP queries.

Administrators should apply any available patches or updates that address this issue once released, as the flaw is due to improper memory management in the `attr_syntax_swap_ht()` function.

Until a fix is applied, schedule schema reloads during maintenance windows with minimal or no LDAP query activity to prevent server crashes.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11791. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart