CVE-2026-11610
Received Received - Intake

Heap Buffer Overflow in 389 Directory Server

Vulnerability report for CVE-2026-11610, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-07

Last updated on: 2026-07-07

Assigner: Red Hat, Inc.

Description

A heap buffer overflow flaw was found in the SASL I/O layer of 389 Directory Server (389-ds-base). After a successful SASL bind with integrity protection (SSF > 0), an authenticated attacker can send a specially crafted oversized LDAP UNBIND packet that is copied into a 512-byte heap receive buffer without a bounds check in sasl_io_recv() in sasl_io.c. This allows up to approximately 2 megabytes of attacker-controlled data to overflow the buffer, causing a denial of service (server crash). In FreeIPA and Red Hat Identity Management deployments, any domain user with a valid Kerberos ticket, any enrolled host, or any service account can trigger this vulnerability over the network after authenticating via GSSAPI. The vulnerable code path has existed since approximately 2013 (389-ds-base 1.3.2) and was not addressed by the CVE-2025-14905 fix, which patched a separate heap overflow in schema.c only.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-07
Last Modified
2026-07-07
Generated
2026-07-07
AI Q&A
2026-07-07
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
red_hat 389_directory_server From 3.1.4-6.fc42 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-122 A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-11610 is a heap buffer overflow vulnerability in the SASL I/O layer of the 389 Directory Server (389-ds-base). It occurs when an authenticated attacker, after successfully performing a SASL bind with integrity protection, sends a specially crafted oversized LDAP UNBIND packet. This packet is copied into a 512-byte heap receive buffer without proper bounds checking in the sasl_io_recv() function, allowing approximately 2 megabytes of attacker-controlled data to overflow the buffer.

This overflow can cause a denial of service (DoS) by crashing the server. The vulnerability affects deployments such as FreeIPA and Red Hat Identity Management, where any domain user with a valid Kerberos ticket, any enrolled host, or any service account can trigger the issue over the network after authenticating via GSSAPI.

Impact Analysis

This vulnerability can lead to a denial of service (DoS) condition by crashing the 389 Directory Server. An attacker who is authenticated can exploit this flaw to cause the server to crash, potentially disrupting directory services and related authentication or identity management functions.

In environments using FreeIPA or Red Hat Identity Management, this could affect any domain user, enrolled host, or service account, leading to service outages and impacting availability.

Detection Guidance

This vulnerability can be detected by monitoring for crashes or denial of service conditions in the 389 Directory Server (389-ds-base) after a SASL bind followed by an LDAP UNBIND request.

Specifically, detection involves identifying if an attacker has sent a specially crafted oversized LDAP UNBIND packet after authenticating via SASL mechanisms such as GSSAPI or DIGEST-MD5.

While no explicit detection commands are provided, network administrators can monitor LDAP traffic for unusually large or padded UNBIND requests following SASL binds.

  • Use packet capture tools like tcpdump or Wireshark to filter LDAP traffic and inspect UNBIND requests after SASL authentication.
  • Example tcpdump command to capture LDAP traffic: tcpdump -i <interface> port 389 -w ldap_traffic.pcap
  • Analyze captured packets in Wireshark for oversized or padded UNBIND requests following SASL binds.
  • Monitor server logs for crashes or abnormal terminations of the 389 Directory Server process.
Mitigation Strategies

Immediate mitigation steps include applying the official patch or update that adds the missing bounds check in the sasl_io_recv() function of the 389 Directory Server.

Until the patch is applied, consider restricting or monitoring SASL binds that use GSSAPI or DIGEST-MD5 mechanisms, especially from untrusted sources.

Additionally, limit network access to the 389 Directory Server to trusted hosts and users to reduce the risk of exploitation.

Regularly monitor server stability and logs for signs of exploitation attempts or crashes.

Compliance Impact

The vulnerability in the 389 Directory Server allows an authenticated attacker to cause a denial of service (server crash) by exploiting a heap buffer overflow. While the CVE description and resources detail the technical impact and exploitation method, they do not explicitly discuss implications for compliance with standards such as GDPR or HIPAA.

However, denial of service attacks can impact availability, which is a key aspect of many compliance frameworks. If the directory server is part of an identity management system that handles personal or sensitive data, such an outage could affect the ability to maintain continuous access controls and data availability, potentially impacting compliance.

No direct information is provided about data breach, data integrity loss, or unauthorized data disclosure related to this vulnerability, which are often critical factors in compliance assessments.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11610. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart