CVE-2026-12528
Awaiting Analysis Awaiting Analysis - Queue
Heap Buffer Overflow in 389 Directory Server

Publication date: 2026-06-17

Last updated on: 2026-06-17

Assigner: Red Hat, Inc.

Description
A flaw was found in 389 Directory Server in the __aclp__normalize_acltxt() function of aclparse.c. A malformed ACI (Access Control Instruction) string can trigger heap-buffer-overflow writes and reads during ACI parsing. The function fails to validate that the ACI keyword has sufficient length after whitespace stripping, leading to a 1-byte out-of-bounds write and subsequent out-of-bounds reads. An authenticated user with write access to the aci attribute could send a crafted ACI value to silently corrupt heap memory in the directory server process.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-17
Last Modified
2026-06-17
Generated
2026-06-17
AI Q&A
2026-06-17
EPSS Evaluated
N/A
NVD
CVE-2026-12528
EUVD
EUVD-2026-37728
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
redhat 389_directory_server *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-12528 is a security vulnerability in the 389 Directory Server, specifically in the __aclp__normalize_acltxt() function of aclparse.c. The vulnerability arises because this function does not properly check the length of an Access Control Instruction (ACI) string after whitespace is removed. This leads to a one-byte out-of-bounds write and subsequent out-of-bounds reads during ACI parsing.

The flaw occurs when a malformed ACI string is processed, causing heap-buffer-overflow issues. An authenticated user with write access to the 'aci' attribute can send a crafted ACI value that silently corrupts heap memory in the directory server process.

The vulnerability involves three related heap buffer overflow issues: an out-of-bounds write of one byte, and two out-of-bounds reads due to corrupted string terminators or missing expected characters.

Impact Analysis

The impact of this vulnerability is considered low and minimal in production environments. It can cause silent heap memory corruption in the 389 Directory Server process, which might lead to instability or unexpected behavior.

Exploitation requires an authenticated user to have write access to the 'aci' attribute. In modern default configurations, only the Directory Manager typically has this access, limiting the risk. However, in older or misconfigured deployments, other authenticated users might gain this access.

Because the one-byte write is fixed and not controllable, the vulnerability is unlikely to lead to code execution. Additionally, the heap corruption is subtle and often does not cause immediate crashes, making exploitation difficult.

Detection Guidance

This vulnerability involves a subtle heap-buffer-overflow triggered by malformed Access Control Instruction (ACI) strings in the 389 Directory Server. Detection is challenging because the heap corruption is silent and does not typically cause immediate crashes or obvious errors.

Since the vulnerability requires an authenticated user with write access to the 'aci' attribute to exploit, monitoring and auditing write operations to the 'aci' attribute on directory entries can help detect potential exploitation attempts.

No specific detection commands or signatures are provided in the available resources. However, general approaches could include:

  • Audit LDAP modify operations targeting the 'aci' attribute.
  • Use LDAP query tools (e.g., ldapsearch) to review current ACI values for malformed or suspicious strings.
  • Enable verbose logging on the 389 Directory Server to capture unusual ACL parsing errors or warnings.

Because the vulnerability is subtle and does not produce clear error messages, no direct command-line detection commands are documented.

Mitigation Strategies

To mitigate this vulnerability, the primary step is to apply the upstream fix that adds proper boundary checks in the __aclp__normalize_acltxt() function.

Specifically:

  • Update the 389 Directory Server (389-ds-base) to a version that includes the fix merged in pull request #7542.
  • Restrict write access to the 'aci' attribute to trusted users only, ideally limiting it to the Directory Manager account.
  • Review and tighten Access Control Instructions (ACI) patterns to avoid granting write permissions broadly to authenticated users.

Because the vulnerability is low severity and difficult to exploit in production, these steps primarily serve as hardening measures.

Compliance Impact

The vulnerability in 389 Directory Server allows an authenticated user with write access to the 'aci' attribute to cause heap memory corruption. While the impact is considered low and primarily a hardening concern, such memory corruption could potentially affect the integrity and availability of directory services.

Since the vulnerability can lead to silent memory corruption and possibly affect availability, it may have implications for compliance with standards like GDPR and HIPAA, which require protection of data integrity and availability. However, the vulnerability does not directly disclose or modify data confidentiality.

In default modern configurations, only the Directory Manager has write access to the 'aci' attribute, limiting the risk. Older or misconfigured deployments might allow broader authenticated user access, increasing potential compliance risks.

Overall, while the vulnerability poses a low severity risk and is unlikely to lead to code execution or data breach, organizations should consider it in their risk assessments and remediation plans to maintain compliance with relevant regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12528. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart