MEDIUM 6.5

CVE-2026-11611: 389 Directory Server Memory Leak and Race Condition DoS

A memory leak vulnerability exists in 389 Directory Server's Content Synchronization (sync) feature. When an authenticated user initiates a sync request but stops reading the server's responses without properly closing the connection, the server accumulates data in memory indefinitely, eventually consuming all available resources and crashing the service. The vulnerability also introduces race conditions that can trigger crashes during normal connection cleanup or server shutdown.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-400
Affected products
8 configuration(s)
Published / Modified
2026-06-08 / 2026-06-30

NVD description (verbatim)

A flaw was found in 389 Directory Server. The Content Synchronization persistent search plugin allows unbounded memory growth when an authenticated client stops reading sync responses, enabling denial of service. Additional race conditions in plugin thread lifecycle can cause crashes during connection teardown or shutdown.

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11611 is a denial-of-service vulnerability in the Content Synchronization persistent search plugin of 389 Directory Server. The plugin fails to implement backpressure or memory limits on buffered sync responses, allowing an authenticated client to trigger unbounded memory growth by initiating a sync request and ceasing to consume responses. The vulnerability is compounded by race conditions in the plugin's thread lifecycle management, which can cause process crashes during connection teardown or graceful shutdown sequences. The issue is classified under CWE-400 (Uncontrolled Resource Consumption), reflecting the lack of safeguards on memory allocation.

Business impact

This vulnerability poses a direct threat to directory service availability. Attackers with valid credentials can trigger denial of service against 389 Directory Server instances, preventing legitimate authentication and synchronization operations. In enterprise environments where 389 Directory Server acts as a central identity provider or replication hub, exploitation could disrupt access to dependent applications and services. The race condition component adds unpredictability, potentially causing unscheduled downtime during routine connection management or maintenance windows.

Affected systems

Red Hat 389 Directory Server and Red Hat Enterprise Linux systems that include or depend on 389 Directory Server are affected. The vulnerability requires prior authentication, so it is limited to users or services with valid directory credentials. Organizations running 389 Directory Server in production—particularly those using it for LDAP-based authentication, directory replication, or hybrid identity scenarios—should assess their deployment footprint.

Exploitability

Exploitation requires a valid directory account (PR:L in the CVSS vector), which limits the attack surface to authenticated insiders, compromised applications, or federation partners with directory access. No exploit code needs to be sophisticated; any client that opens a sync connection and stops reading is sufficient. The attack is reliable and requires no special timing or race conditions to trigger the memory leak, though the race condition crashes add a secondary attack vector. The CVSS 3.1 score of 6.5 (MEDIUM) reflects the authentication requirement balanced against the high availability impact.

Remediation

Apply patches released by Red Hat for affected versions of 389 Directory Server and Red Hat Enterprise Linux. The fix addresses both the unbounded memory allocation in sync response handling and the race conditions in thread lifecycle code. Organizations should verify patch availability for their specific RHEL and 389 Directory Server versions through Red Hat's security advisories and apply patches according to their change management procedures. Until patched, network-level access controls limiting who can authenticate to the directory server can reduce exposure.

Patch guidance

Consult Red Hat's security advisories and errata channels for 389 Directory Server patch releases. Patches should address memory management in the sync plugin's response buffering and synchronization in thread teardown logic. Organizations should plan patching during maintenance windows, as 389 Directory Server restart is typically required. Test patches in non-production environments first, particularly if the server is part of a replication topology, to ensure no unintended effects on sync functionality.

Detection guidance

Monitor 389 Directory Server processes for sustained memory growth over time, particularly when sync clients connect. Capture application logs for sync-related errors, connection resets, or unexpected process terminations. Network monitoring for unusual sync connection patterns—particularly connections that remain open without data consumption—may reveal exploitation attempts. Audit logs should track authenticated users initiating sync operations. Set memory utilization thresholds and alerting to catch resource exhaustion before service impact.

Why prioritize this

Although the CVSS score is MEDIUM, this vulnerability should be prioritized because it enables denial of service to a critical identity service with only low-privilege authentication required. Any valid directory account holder—including potentially low-privilege service accounts or federated users—can trigger the attack. The combination of predictable memory exhaustion and unpredictable race condition crashes creates multiple failure modes. Organizations with 389 Directory Server in their authentication path should treat this as a near-term remediation target.

Risk score, explained

The CVSS 3.1 score of 6.5 (MEDIUM) weights the high availability impact (A:H) against the requirement for low privilege (PR:L) and no user interaction (UI:N). The low network complexity (AC:L) and network-accessible attack vector (AV:N) reflect the practical exploitability. No confidentiality or integrity impact is scored, since the attack is purely a denial of service. For organizations where directory availability is critical to business continuity, the operational risk exceeds the numerical severity rating.

Frequently asked questions

Can this vulnerability be exploited without credentials?

No. The vulnerability requires a valid authenticated session or account to initiate a sync request. The CVSS vector (PR:L) indicates low privilege is sufficient—not that no privilege is required.

What is the difference between the memory leak and the race condition components?

The memory leak occurs when an authenticated client stops consuming sync responses, causing the server to buffer unbounded data. The race conditions are separate defects in thread lifecycle management that can cause crashes independently during normal connection teardown or shutdown. Both result in denial of service but via different mechanisms.

How quickly will memory exhaustion occur?

Time to exhaustion depends on the sync dataset size, response buffering rate, and available server memory. In environments with large directories or aggressive sync configurations, exhaustion could occur within minutes; in smaller deployments, hours may pass. The unpredictability reinforces the need to patch rather than rely on monitoring thresholds alone.

Does this affect 389 Directory Server in read-only or non-sync configurations?

The vulnerability is specific to the Content Synchronization persistent search plugin. Environments that do not use sync replication features may have reduced risk, but organizations should verify their deployment configuration. Even if sync is not actively used, the plugin is often loaded by default.

This analysis is based on publicly disclosed information available as of the publication date. Red Hat patch releases, affected version details, and specific remediation steps should be verified directly against Red Hat's official security advisories and vendor statements. This content is provided for informational purposes to support security decision-making and does not constitute legal advice or a guarantee of vulnerability impact in specific environments. Organizations should conduct internal testing and assessment before applying any patches or implementing mitigations. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).