CVE-2026-15041
Received Received - Intake

Timing Attack in 389 Directory Server

Vulnerability report for CVE-2026-15041, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: Red Hat, Inc.

Description

A flaw was found in 389 Directory Server. The PBKDF2-SHA256 password verification function uses standard memcmp() for comparing password hashes instead of a constant-time comparison function. A remote attacker could potentially use timing measurements of LDAP bind attempts to infer partial hash information, though practical exploitation is extremely difficult due to PBKDF2 computational overhead.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-08
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
redhat 389_directory_server *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-208 Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the 389 Directory Server's PBKDF2-SHA256 password verification function. Instead of using a constant-time comparison function to compare password hashes, it uses the standard memcmp() function. This difference allows a remote attacker to potentially measure timing differences during LDAP bind attempts and infer partial information about password hashes.

The vulnerability arises because memcmp() can reveal subtle timing differences depending on how much of the hash matches, whereas a constant-time comparison function prevents such timing side-channel attacks.

However, exploiting this vulnerability in practice is extremely difficult because the PBKDF2 function involves a high computational workload (over 8,000 iterations), which takes about 2 milliseconds per computation. This large computation time overshadows the very small timing differences caused by memcmp(), which are measured in nanoseconds.

Impact Analysis

If exploited, this vulnerability could allow a remote attacker with network access to the LDAP service to infer partial password hash information by analyzing timing differences during repeated LDAP bind attempts.

This partial information leakage could potentially aid attackers in mounting further attacks against user credentials, such as reducing the effort needed to guess or crack passwords.

However, practical exploitation is considered extremely difficult due to the computational overhead of PBKDF2, which makes timing differences very hard to measure accurately.

The CVSS base score of 3.7 reflects a low severity impact, indicating limited potential impact under typical conditions.

Detection Guidance

This vulnerability involves timing side-channel attacks on the PBKDF2-SHA256 password verification function in 389 Directory Server. Detection would require measuring timing differences in LDAP bind attempts to infer partial hash information.

Due to the extremely small timing differences (in nanoseconds) overshadowed by the high computational cost of PBKDF2 (approximately 2 milliseconds per computation), practical detection through simple commands is very difficult.

No specific detection commands or tools are provided in the available resources.

Mitigation Strategies

To mitigate this vulnerability, the affected function should be updated to use a constant-time comparison function, such as replacing the standard memcmp() with slapi_ct_memcmp(), which prevents timing side-channel attacks.

Applying any available patches or updates from the 389 Directory Server maintainers that address this issue is recommended.

Additionally, restricting network access to the LDAP service to trusted hosts can reduce the risk of remote timing attacks.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-15041. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart