CVE-2026-11787: 389 Directory Server Buffer Over-read in LDAP Filter Parsing
A vulnerability in Red Hat's 389 Directory Server allows a memory reading flaw when processing LDAP search filters. The issue occurs when the server parses certain filter strings, causing it to read data from memory locations it shouldn't access. This could potentially be exploited by an authenticated user to leak small amounts of sensitive information or disrupt normal filter processing. The vulnerability requires authentication and specific conditions to exploit, making it a moderate-risk issue that warrants patching but not immediate panic.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.0 MEDIUM · CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
- Weaknesses (CWE)
- CWE-126
- Affected products
- 8 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-30
NVD description (verbatim)
A flaw was found in 389 Directory Server. The ldap_utf8prev() function reads bytes before the start of a buffer without bounds checking, causing a heap buffer over-read in string filter parsing that may influence internal filter processing behavior.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11787 is a heap buffer over-read in 389 Directory Server's LDAP filter parsing logic. The ldap_utf8prev() function lacks proper bounds checking when reading bytes before the start of a buffer during string filter processing. This CWE-126 (Buffer Over-read) flaw allows an authenticated attacker to read memory beyond intended boundaries, potentially influencing internal filter processing behavior and exposing data resident in adjacent heap memory. The vulnerability manifests specifically in filter parsing operations triggered by LDAP protocol interaction.
Business impact
This vulnerability poses a confidentiality and integrity risk to organizations operating 389 Directory Server or Red Hat Enterprise Linux with integrated directory services. An authenticated attacker could potentially read fragments of sensitive data from server memory, including cached credentials, configuration details, or other user information. While authentication is required, compromised or low-privilege accounts could be leveraged for exploitation. Additionally, abnormal filter processing could cause operational disruptions or unexpected behavior in directory lookups, affecting authentication and authorization workflows that depend on accurate filter results.
Affected systems
Red Hat Directory Server (all versions subject to this vulnerability) and Red Hat Enterprise Linux systems that include or depend on 389 Directory Server components are affected. The vulnerability requires an authenticated connection to the LDAP service, so exposure is limited to environments where LDAP is exposed and authentication is possible. Check your current Red Hat product versions and advisory documentation to determine if your specific installations are in scope.
Exploitability
Exploitation requires LDAP authentication (PR:L in the CVSS vector), reducing opportunistic attack risk. An attacker must have valid credentials or be able to obtain them. The attack complexity is high (AC:H), meaning specific conditions or knowledge of filter structures are needed to trigger the over-read reliably. While not a trivial exploit, this is well within the capability of a malicious insider or someone with compromised low-privilege LDAP credentials. No known public exploit exists at this time, and this is not listed as a Known Exploited Vulnerability (KEV).
Remediation
Apply security updates provided by Red Hat for 389 Directory Server and Enterprise Linux. Verify the specific patch versions in Red Hat's official advisories, as version numbers vary by product line and distribution version. Additionally, restrict LDAP access to trusted internal networks and minimize the number of accounts with LDAP authentication capability. Monitor LDAP logs for unusual filter patterns or authentication attempts that may indicate exploitation attempts.
Patch guidance
Check Red Hat's official security advisories for CVE-2026-11787 to identify the correct patch versions for your installed 389 Directory Server or Enterprise Linux releases. Patching should be prioritized within a standard maintenance window given the MEDIUM severity rating and the need for authentication to exploit. Test patches in a non-production environment first, particularly to ensure filter processing behavior is not altered. If 389 Directory Server is containerized, ensure updated base images are used in your container builds.
Detection guidance
Monitor LDAP server logs for filter parsing errors or unexpected behavior in filter operations. Watch for repeated authentication attempts from specific accounts followed by complex or unusual filter strings. Heap corruption indicators in system logs or segmentation faults in slapd processes may signal exploitation attempts. Implement network segmentation to restrict LDAP traffic to known, legitimate sources, and use IDS/IPS signatures if available from Red Hat or security vendors. Enable verbose logging on LDAP filter processing if operationally feasible.
Why prioritize this
Despite the MEDIUM CVSS score, this vulnerability merits timely patching due to its confidentiality impact and the potential for insider threats. The requirement for authentication reduces but does not eliminate risk, especially in environments where account credentials are widely distributed or poorly managed. The fact that it is not yet a KEV indicates no active exploitation in the wild, providing a window to patch deliberately without emergency-driven pressure. Organizations should incorporate this into their regular patching cycles rather than delay.
Risk score, explained
The CVSS 3.1 score of 5.0 (MEDIUM) reflects the combination of network accessibility (AV:N), required authentication (PR:L), high attack complexity (AC:H), and limited impact scope (S:U) affecting only the service itself. While confidentiality, integrity, and availability are all potentially affected (C:L/I:L/A:L), each impact is low and localized. The score appropriately weights the need for valid credentials and specific exploitation conditions against the exposure from a network-facing service.
Frequently asked questions
Can this vulnerability be exploited without LDAP authentication?
No. The CVSS vector shows PR:L (requires low privilege), meaning a valid LDAP user account is necessary. Unauthenticated attackers cannot trigger the vulnerability, which significantly reduces exposure in most environments.
What version of Red Hat Directory Server or Enterprise Linux am I vulnerable to?
Consult Red Hat's official security advisory for CVE-2026-11787 to determine affected versions. Different RHEL releases and 389 Directory Server versions may have different vulnerability windows and patch availability.
Is this vulnerability being actively exploited?
No, this is not listed as a Known Exploited Vulnerability (KEV) as of this writing. However, organizations should not rely on this as justification to delay patching indefinitely.
If we have network-based access controls restricting LDAP to specific systems, are we still at risk?
Yes, but the risk is significantly reduced. If a trusted internal system is compromised or if an attacker operates from within your network, they could still exploit this if they obtain LDAP credentials. Defense in depth remains important.
This analysis is provided for informational purposes and reflects information available as of the published date. Organizations should verify all technical details, affected versions, and patch availability against Red Hat's official security advisories. The absence of a known exploit does not guarantee absence of vulnerability; proactive patching is recommended. Security contexts vary; consult with your security team and vendors to assess applicability and urgency for your specific environment. No warranty is provided regarding the accuracy or completeness of this analysis. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2025-59609MEDIUMQualcomm MBSSID Information Disclosure (MEDIUM 5.5)
- CVE-2026-45684MEDIUMOpenTelemetry eBPF Instrumentation Buffer Over-Read Vulnerability
- CVE-2026-42828HIGHWindows Projected File System Filter Driver Privilege Escalation Vulnerability
- CVE-2026-10533MEDIUMOpenShift ResourceQuota Bypass Leads to API Server DoS
- CVE-2026-11611MEDIUM389 Directory Server Memory Leak and Race Condition DoS
- CVE-2026-11785MEDIUM389 Directory Server Stack Address Disclosure via Type Confusion
- CVE-2026-11788MEDIUM389 Directory Server Unauthenticated Denial-of-Service via Memory Allocation Flaw
- CVE-2026-11789MEDIUM389 Directory Server SMD5 Integer Underflow DoS Vulnerability