CVE-2026-14969
Received Received - Intake

Hardcoded IV in 389-ds-base LDBM Encryption

Vulnerability report for CVE-2026-14969, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-07

Last updated on: 2026-07-07

Assigner: Red Hat, Inc.

Description

A flaw was found in 389-ds-base where the LDBM backend attribute encryption uses a hardcoded static initialization vector for AES-CBC and 3DES-CBC operations, allowing an attacker with privileged filesystem access to detect plaintext equality across encrypted entries by comparing ciphertext blocks.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-07
Last Modified
2026-07-07
Generated
2026-07-07
AI Q&A
2026-07-07
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
redhat 389-ds-base *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-329 The product generates and uses a predictable initialization Vector (IV) with Cipher Block Chaining (CBC) Mode, which causes algorithms to be susceptible to dictionary attacks when they are encrypted under the same key.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Impact Analysis

An attacker with privileged access to the filesystem where the LDBM database files are stored can exploit this vulnerability to detect when encrypted attribute values are identical by comparing ciphertext blocks.

This can lead to a loss of confidentiality because it allows offline cryptanalysis of encrypted data, potentially revealing sensitive information.

Although the attacker needs privileged filesystem access, the vulnerability weakens the encryption protection and increases the risk of data exposure.

Executive Summary

This vulnerability exists in the 389-ds-base software's LDBM backend attribute encryption. It uses a hardcoded static initialization vector (IV) of 16 bytes of 0x61 for AES-CBC-PAD and 3DES-CBC-PAD encryption operations.

Using a fixed IV violates security best practices because CBC mode encryption requires a unique and unpredictable IV for each operation to maintain semantic security.

Because the IV is static, identical plaintext attribute values always produce the same ciphertext. This allows an attacker with privileged filesystem access to the LDBM database files to detect when encrypted entries have the same plaintext by comparing ciphertext blocks.

This weakness also enables offline cryptanalysis of encrypted attributes, potentially compromising the confidentiality of sensitive data.

Detection Guidance

This vulnerability involves the use of a hardcoded static initialization vector (IV) in the encryption of LDBM backend attributes in 389-ds-base. Detection requires verifying if the encrypted database files use a fixed IV, which can be identified by comparing ciphertext blocks for identical plaintext attributes.

Since the vulnerability is related to filesystem-level encrypted database files, detection involves inspecting the LDBM database files for repeated ciphertext blocks that indicate the use of a static IV.

There are no specific commands provided in the resources to detect this vulnerability directly. However, a possible approach is to use file inspection and cryptographic analysis tools to compare ciphertext blocks within the LDBM database files.

Mitigation Strategies

The vulnerability arises from the use of a fixed static IV in encryption, which violates security best practices. Immediate mitigation steps include:

  • Restrict privileged filesystem access to the LDBM database files to prevent attackers from obtaining ciphertext data.
  • Apply any available patches or updates from the vendor that address the use of a static IV in the 389-ds-base encryption implementation.
  • Monitor for updates or advisories from Red Hat or the 389-ds-base maintainers regarding fixes or configuration changes to eliminate the static IV usage.
Compliance Impact

The vulnerability in 389-ds-base involves the use of a hardcoded static initialization vector (IV) for AES-CBC and 3DES-CBC encryption, which allows attackers with privileged filesystem access to detect plaintext equality across encrypted entries. This weakness compromises the confidentiality of sensitive data by facilitating offline cryptanalysis.

Since confidentiality of sensitive data is a core requirement in standards like GDPR and HIPAA, this vulnerability could negatively impact compliance by undermining the effectiveness of encryption controls designed to protect personal and health information.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-14969. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart