CVE-2026-11792
Undergoing Analysis Undergoing Analysis - In Progress
Heap Buffer Overflow in 389 Directory Server

Publication date: 2026-06-09

Last updated on: 2026-06-09

Assigner: Red Hat, Inc.

Description
A heap buffer overflow flaw was found in 389 Directory Server. When audit logging is enabled, the create_masked_entry_string() function in auditlog.c copies a fixed-length password mask into a precisely-sized heap buffer without checking available space. If a short cleartext password is logged (requiring non-default CLEAR password storage or a compromised replication peer), the copy overflows the buffer, corrupting heap memory and audit log output.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-09
Last Modified
2026-06-09
Generated
2026-06-09
AI Q&A
2026-06-09
EPSS Evaluated
N/A
NVD
CVE-2026-11792
EUVD
EUVD-2026-35424
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
redhat 389_directory_server *
red_hat 389_directory_server *
red_hat 389_ds_base *
red_hat 389_directory_server From 9.0 (inc) to 10.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-122 A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-11792 is a heap buffer overflow vulnerability found in the 389 Directory Server's audit logging feature. Specifically, the function create_masked_entry_string() in auditlog.c copies a fixed-length password mask string into a heap buffer that is sized based on the output of slapi_entry2str(). When a short cleartext password (less than 23 characters) is logged, this copy operation overflows the allocated buffer because the function does not check if there is enough space before copying.

This vulnerability can only be triggered under certain conditions: audit logging must be enabled, and either the passwordStorageScheme must be set to CLEAR (which is not the default and generally discouraged) or a compromised replication peer must send short cleartext passwords via replicated ADD operations, bypassing password hashing.

Impact Analysis

The heap buffer overflow caused by this vulnerability can corrupt heap memory and audit log output. While production binaries may sometimes absorb the overflow due to allocator padding without immediate crashes, the underlying heap corruption poses a security risk.

The CVSS v3.1 base score is 3.3, indicating a low severity impact with network attack vector, high attack complexity, requiring high privileges, no user interaction, unchanged scope, no confidentiality impact, low integrity impact, and low availability impact.

Potential impacts include integrity and availability issues due to heap corruption, which could lead to unexpected behavior or denial of service in the 389 Directory Server audit logging functionality.

Detection Guidance

This vulnerability can be detected by verifying if audit logging is enabled on the 389 Directory Server and checking the configuration for passwordStorageScheme set to CLEAR or monitoring for replicated ADD operations that send short cleartext passwords.

Since the vulnerability involves a heap buffer overflow in the audit log password masking feature, detection may involve monitoring audit logs for corruption or unusual output patterns.

Specific commands are not provided in the available resources.

Mitigation Strategies

Immediate mitigation steps include ensuring that audit logging is properly configured and avoiding the use of the non-default CLEAR passwordStorageScheme.

Applying the updated 389-ds-base package that contains the fix for this vulnerability is recommended. The fix has been backported to Red Hat Enterprise Linux 9.6 and RHEL 10.

Users should follow the update instructions provided by Red Hat Product Security advisories to patch their systems.

Compliance Impact

The provided information does not explicitly address how this heap buffer overflow vulnerability in 389 Directory Server affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11792. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart