CVE-2026-11788: 389 Directory Server Unauthenticated Denial-of-Service via Memory Allocation Flaw
A vulnerability exists in 389 Directory Server where the dereference control plugin fails to verify that memory allocation succeeded before proceeding. An attacker on the network can trigger memory exhaustion conditions to crash the LDAP server without providing credentials. The attack requires specific environmental conditions (system memory pressure) to succeed, but no authentication is required.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.9 MEDIUM · CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-476
- Affected products
- 8 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-30
NVD description (verbatim)
A flaw was found in 389 Directory Server. The dereference control plugin does not check for allocation failure before using a BER structure, allowing an unauthenticated remote attacker to crash the LDAP server when the system is under memory pressure.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11788 is a null pointer dereference vulnerability (CWE-476) in the dereference control plugin of 389 Directory Server. The flaw occurs because the plugin does not validate successful allocation of a BER (Basic Encoding Rules) structure before dereferencing it. When the system experiences memory pressure, the allocation can fail silently, but the code proceeds to use the invalid pointer, resulting in a denial-of-service condition. The vulnerability is remotely exploitable over the network without authentication.
Business impact
This vulnerability enables unauthenticated remote denial-of-service attacks against 389 Directory Server deployments. Organizations relying on Directory Server for LDAP authentication and directory services face service disruption risk, particularly in environments where memory resources are constrained or during high-load periods. Repeated or sustained attacks could prevent legitimate users from authenticating, impacting business continuity and dependent applications.
Affected systems
Red Hat 389 Directory Server and Red Hat Enterprise Linux installations that include Directory Server are affected. The vulnerability impacts multiple RHEL versions bundled with vulnerable Directory Server releases. Determine your specific Directory Server version and RHEL release to assess exposure within your infrastructure.
Exploitability
The vulnerability has a CVSS 3.1 score of 5.9 (Medium severity) with an attack vector of network, no authentication required, but elevated attack complexity. The requirement for system memory pressure raises the bar for reliable exploitation compared to trivial denial-of-service attacks. However, in production environments with predictable or heavy workloads, the memory pressure condition may be achievable or present intermittently, making the vulnerability practically exploitable for a motivated attacker.
Remediation
Apply security updates from Red Hat that address this allocation failure check in the dereference control plugin. Coordinate patching across your Directory Server and Enterprise Linux infrastructure. Verify against the vendor advisory for specific patched version numbers and any interim workarounds for environments where immediate patching is not feasible.
Patch guidance
Contact Red Hat or consult their security advisory for CVE-2026-11788 to obtain the specific patched Directory Server version for your RHEL release. Test patches in a non-production environment before broad deployment to ensure compatibility with your authentication and directory infrastructure. Prioritize patching Directory Servers exposed to untrusted network segments.
Detection guidance
Monitor Directory Server logs for unexpected crashes or restarts, particularly correlated with high memory utilization or failed authentication attempts from unfamiliar sources. Network-based detection is challenging since the attack is a memory-exhaustion trigger, but observe for sustained connection attempts to LDAP ports (389/636) from external IP ranges. Implement resource monitoring to alert on abnormal memory consumption patterns on Directory Server systems.
Why prioritize this
Although the CVSS score is Medium (5.9), prioritize this vulnerability because it affects core authentication infrastructure and requires no credentials to exploit. The denial-of-service impact can cascade across dependent systems. However, the attack complexity requirement for memory pressure conditions and lack of KEV listing suggests lower active exploitation prevalence; defer non-critical systems behind the patch for Directory Servers handling authentication for production services.
Risk score, explained
The CVSS 3.1 score of 5.9 reflects the network-exploitable, unauthenticated nature of the attack (elevating risk) balanced against attack complexity and the confidentiality and integrity impact being none. Only availability (denial-of-service) is affected. Organizations operating Directory Server under consistent memory pressure or in unpredictable load environments should weight this toward high-priority patching despite the moderate numerical score.
Frequently asked questions
Can the attacker read or modify directory data with this vulnerability?
No. This vulnerability only causes denial-of-service through server crashes. Confidentiality and integrity of directory data are not compromised. However, unavailability of the directory prevents authentication and lookups until the server is restored.
Do I need authentication credentials to exploit this vulnerability?
No. The vulnerability is remotely exploitable without providing LDAP credentials. Any unauthenticated attacker on the network can attempt to trigger memory pressure conditions leading to a crash.
Is there a publicly disclosed exploit for CVE-2026-11788?
No. This vulnerability has not been added to the CISA Known Exploited Vulnerabilities catalog, indicating no confirmed public weaponization as of the latest update. However, the simplicity of triggering memory allocation failures suggests potential for development.
Which Red Hat products should I prioritize for patching?
Prioritize Directory Server instances that provide authentication services for critical applications or are accessible from untrusted networks. Check your RHEL release version against the vendor advisory to identify compatible patches, then test and deploy in order of criticality.
This analysis is based on publicly available vulnerability data current as of June 2026. Red Hat may release additional advisories, patches, or threat intelligence updates after publication. Verify specific patch version numbers and affected product versions directly with Red Hat security advisories before deployment. This vulnerability assessment is provided for informational purposes and should not substitute for formal risk assessment within your organization. Testing and validation in non-production environments is strongly recommended prior to production patching. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2025-60477MEDIUMMP4Box NULL Pointer Dereference Denial of Service
- CVE-2025-60481MEDIUMGPAC MP4Box NULL Pointer DoS Vulnerability (v26.02.0 Patch)
- CVE-2025-60483MEDIUMMP4Box AC4 Parser NULL Pointer DoS Vulnerability
- CVE-2025-60485MEDIUMMP4Box Segmentation Fault DoS Vulnerability (GPAC < 26.02.0)
- CVE-2025-60495MEDIUMMP4Box Segmentation Fault DoS Vulnerability – Patching Guide
- CVE-2025-71313MEDIUMLinux Kernel PCI Endpoint NULL Pointer Dereference
- CVE-2026-28581MEDIUMAndroid Emergency Call Logic Error Vulnerability
- CVE-2026-42766MEDIUMOpenSSL CMS NULL Pointer Denial of Service