CVE-2026-11785: 389 Directory Server Stack Address Disclosure via Type Confusion
CVE-2026-11785 is a flaw in 389 Directory Server that leaks partial stack memory addresses to authenticated users through LDAP responses. An attacker with valid LDAP credentials can trigger a type confusion error during SSO token processing, causing the server to inadvertently expose memory layout information. This is a limited disclosure risk—the attacker must already be authenticated, and only partial address information is exposed—but it can provide a foothold for more advanced attacks that rely on defeating address space layout randomization (ASLR).
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
- Weaknesses (CWE)
- CWE-843
- Affected products
- 5 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-30
NVD description (verbatim)
A flaw was found in 389 Directory Server. A type confusion in the SSO token extended operation handler causes partial stack address information to be disclosed in LDAP responses to authenticated users.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability stems from type confusion in the SSO (Single Sign-On) token extended operation handler within 389 Directory Server. When processing specially crafted SSO token requests from an authenticated LDAP client, the handler mishandles object types, leading to an out-of-bounds read or similar memory access that captures stack frames. These frames contain return addresses and other stack metadata, which are then reflected back in LDAP protocol responses. The flaw is rooted in CWE-843 (Access of Resource Using Incompatible Type), a type safety issue common in C/C++ codebases that interact with weakly-typed protocol handlers.
Business impact
Organizations relying on 389 Directory Server for LDAP-based authentication and SSO face a two-stage risk. First, any authenticated user (or attacker with compromised credentials) can harvest stack address information, useful for reconnaissance. Second, this information can be combined with other memory safety bugs to construct reliable exploits against higher-privilege processes. In environments where LDAP is a critical authentication hub (universities, large enterprises, cloud providers), even a low-severity leak can be problematic when multiplied across many user interactions or when combined with other vulnerabilities.
Affected systems
Red Hat Directory Server and 389 Directory Server (the upstream open-source project) are directly affected, along with Red Hat Enterprise Linux systems that package these components. The vulnerability requires an authenticated LDAP session, so exposure is limited to installations where LDAP access is permitted. Verify your specific Directory Server version and RHEL release against Red Hat's official advisory to confirm whether you are running an affected build.
Exploitability
The attack vector is network-accessible and requires low attack complexity, but it mandates prior authentication (PR:L in the CVSS vector). An attacker cannot exploit this without valid LDAP credentials—either stolen, leaked, or obtained through social engineering. The disclosed information is partial and address-only; it does not directly compromise confidentiality of user data or cause denial of service. However, the predictability of modern exploit techniques means that even partial ASLR defeats significantly lower the bar for subsequent memory corruption attacks.
Remediation
Apply security updates from Red Hat as soon as they become available. Check Red Hat Security Advisories (RHSA) and the 389 Directory Server release notes for patched versions. In the interim, restrict LDAP access to trusted networks and authenticated users only; monitor LDAP query logs for anomalous SSO token operations. Consider implementing LDAP rate limiting or WAF-style request filtering if your directory is internet-facing.
Patch guidance
Monitor Red Hat's official security portal and subscribe to 389 Directory Server mailing lists for patch releases. When updates are published, test them in a non-production environment to validate compatibility with your authentication workflows. Given that the vulnerability requires authentication, patching should be scheduled during normal maintenance windows rather than emergency escalation—though security teams should prioritize it over routine updates.
Detection guidance
Monitor LDAP logs for repeated SSO token extended operations from the same authenticated user or IP address, especially if followed by failed bind attempts or unusual query patterns. Network-based detection is difficult because the requests are valid LDAP protocol frames; focus on behavior analytics. Baseline your LDAP server's normal SSO token operation rate and alert on deviations. Intrusion detection systems should be configured to flag multiple sequential extended operations within short time windows, particularly from accounts with high privileges.
Why prioritize this
Although the CVSS score of 4.3 (MEDIUM) is modest, the vulnerability sits at the intersection of information disclosure and defensive evasion. The leak of stack addresses is a classic stepping stone to privilege escalation or remote code execution in mixed vulnerability environments. Organizations with mature security postures should prioritize this over purely cosmetic bugs, but it does not warrant crisis response unless combined with evidence of active exploitation or if your LDAP server is internet-facing and unprotected.
Risk score, explained
The CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N reflects: network-accessible endpoint (AV:N), low attack complexity (AC:L), low impact (confidentiality only, no integrity or availability loss), and mandatory prior authentication (PR:L). The score of 4.3 is driven down by the authentication requirement and the limited scope of disclosed data. Organizations with open LDAP ports should weigh this higher; those with restricted LDAP access behind firewalls and VPNs may safely deprioritize relative to other vulnerabilities.
Frequently asked questions
Do I need LDAP credentials to exploit this vulnerability?
Yes. The vulnerability requires an authenticated LDAP session. An unauthenticated attacker cannot trigger the flaw. This significantly limits exposure in properly segmented networks where LDAP access is restricted to trusted clients.
What exactly is disclosed—full memory or just addresses?
Partial stack address information is disclosed. This includes return addresses and stack frame metadata, but not bulk memory contents or user data. The partial nature means the attacker must correlate multiple requests to build a useful picture of memory layout.
Can this vulnerability be exploited in a denial-of-service attack?
No. The CVSS vector shows no availability impact (A:N). The vulnerability is purely informational; it does not crash the server or degrade availability.
Is this vulnerability currently being exploited in the wild?
CVE-2026-11785 is not yet listed on CISA's Known Exploited Vulnerabilities catalog. However, information disclosure bugs are often chained with memory safety flaws, so vigilant patching is still recommended even absent public exploit evidence.
This analysis is derived from publicly available vulnerability data and Red Hat's official disclosures. It is provided for informational purposes to assist security teams in risk prioritization. No exploit code, weaponized proof-of-concept, or vendor-specific patch version numbers are included here; consult Red Hat Security Advisories and 389 Directory Server release notes for authoritative remediation guidance. Your organization's risk tolerance, network architecture, and LDAP deployment model will determine the actual severity in your environment. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10702MEDIUMFirefox JIT Compiler Miscompilation DoS Vulnerability
- CVE-2026-11196MEDIUMChrome Type Confusion in XML Processing – Data Leakage Risk
- CVE-2026-44640MEDIUMNanoMQ Type Confusion in QUIC Connection Handling
- CVE-2026-45702MEDIUMOP-TEE Type Confusion Vulnerability in FFA_MEM_SHARE Processing
- CVE-2026-10022HIGHChrome V8 Type Confusion Vulnerability in Extensions
- CVE-2026-10910HIGHType Confusion in Chrome V8 Engine – Arbitrary Code Execution
- CVE-2026-10935HIGHChrome V8 Type Confusion Remote Code Execution (CVSS 8.8)
- CVE-2026-10936HIGHType Confusion in Chrome V8 Engine – Remote Code Execution