CVE-2026-11793
Awaiting Analysis Awaiting Analysis - Queue
Stack Buffer Overflow in 389 Directory Server

Publication date: 2026-06-09

Last updated on: 2026-06-09

Assigner: Red Hat, Inc.

Description
A stack buffer overflow flaw was found in 389 Directory Server. The checkPrefix() function in pw.c copies an attacker-controlled algorithm ID into a 256-byte stack buffer without bounds checking when parsing reversible-encrypted attribute values. An attacker with Directory Manager privileges can crash the LDAP server by storing a crafted credential with an oversized algorithm ID. FORTIFY_SOURCE mitigates this to denial of service only.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-09
Last Modified
2026-06-09
Generated
2026-06-09
AI Q&A
2026-06-09
EPSS Evaluated
N/A
NVD
CVE-2026-11793
EUVD
EUVD-2026-35423
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
redhat 389_directory_server *
redhat 389_ds_base *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-121 A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-11793 is a stack buffer overflow vulnerability found in the 389 Directory Server, specifically in the checkPrefix() function within the pw.c file.

The vulnerability occurs when parsing reversible-encrypted attribute values that include an algorithm ID. This algorithm ID is copied into a fixed 256-byte stack buffer without proper bounds checking.

An attacker with Directory Manager privileges can exploit this by inserting a maliciously oversized algorithm ID into attributes such as nsDS5ReplicaCredentials, causing the LDAP server process (ns-slapd) to crash.

Although FORTIFY_SOURCE mitigates the risk of memory corruption by aborting the process early, this still results in a denial-of-service condition.

Impact Analysis

This vulnerability can be exploited by an attacker with Directory Manager privileges to cause the LDAP server to crash, resulting in a denial-of-service (DoS) condition.

The crash occurs because the oversized algorithm ID overflows a stack buffer, triggering the process to abort.

This can disrupt directory services, potentially affecting authentication, authorization, and other directory-dependent operations.

Detection Guidance

This vulnerability can be detected by monitoring for crashes or abnormal terminations of the ns-slapd process, which is the LDAP server component of 389 Directory Server. Since exploitation causes a denial-of-service via process abort (SIGABRT), system logs and service status checks can reveal such events.

Additionally, checking for the presence of maliciously oversized algorithm IDs in reversible-encrypted attribute values such as nsDS5ReplicaCredentials may help identify attempts to exploit this vulnerability.

Suggested commands include:

  • Use systemctl or service commands to check the status of the 389 Directory Server service (e.g., `systemctl status dirsrv@instance` or `service dirsrv status`).
  • Examine system logs for crash reports or SIGABRT signals related to ns-slapd, for example, `journalctl -u dirsrv@instance` or `grep ns-slapd /var/log/messages`.
  • Query LDAP entries for reversible-encrypted attributes with unusually long algorithm IDs, potentially using ldapsearch commands targeting attributes like nsDS5ReplicaCredentials.
Mitigation Strategies

Immediate mitigation steps include restricting Directory Manager privileges to trusted administrators only, as exploitation requires such privileges.

Monitor and audit LDAP entries for suspicious or oversized algorithm IDs in reversible-encrypted attributes to detect potential exploitation attempts.

Apply any available patches or updates from the vendor addressing this vulnerability once released.

Consider implementing additional monitoring to detect and respond to ns-slapd process crashes promptly to minimize denial-of-service impact.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11793. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart