CVE-2026-11789: 389 Directory Server SMD5 Integer Underflow DoS Vulnerability
389 Directory Server contains a flaw in its SMD5 password storage plugin that causes the LDAP server to crash when processing certain malformed password hashes. An authenticated attacker with high privileges can trigger this crash by submitting a specially crafted password hash shorter than 16 bytes, which causes the plugin to miscalculate memory boundaries and read beyond allocated buffers. The crash results in denial of service but does not leak sensitive data or compromise authentication logic itself.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 4.9 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-191
- Affected products
- 8 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-30
NVD description (verbatim)
A flaw was found in 389 Directory Server. The SMD5 password storage plugin performs unsigned integer underflow when computing salt length from a crafted password hash shorter than 16 bytes, causing a buffer over-read that crashes the LDAP server during authentication.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11789 is an integer underflow vulnerability (CWE-191) in the SMD5 password storage plugin of 389 Directory Server. When the plugin processes a password hash shorter than 16 bytes, it performs an unsigned integer underflow while computing salt length, resulting in an out-of-bounds buffer over-read. This memory access violation crashes the LDAP server process during authentication attempts, causing service unavailability. The vulnerability requires high-privilege authentication to exploit, limiting its attack surface to authenticated users within trusted networks.
Business impact
Directory server downtime directly impacts identity and access management infrastructure. An attacker with valid high-privilege credentials can repeatedly crash the LDAP authentication service, forcing manual intervention to restore availability. In environments where 389 Directory Server is the primary identity provider, this denial of service can cascade to downstream applications that depend on authentication and directory queries. Recovery requires server restart, incurring operational overhead and potentially delaying legitimate user access.
Affected systems
Red Hat Directory Server (all listed versions), Red Hat 389 Directory Server, and Red Hat Enterprise Linux installations that include or depend on the affected directory server components are vulnerable. The vulnerability affects the authentication pathway at the point where password hashes are validated, so any environment relying on LDAP authentication through these products is exposed.
Exploitability
Exploitation requires an attacker to possess valid high-privilege authentication credentials and network access to the LDAP service. The attack is straightforward—submit a password hash shorter than 16 bytes during authentication—but the prerequisite of legitimate credentials significantly constrains the threat landscape. The vulnerability is not remotely exploitable by unauthenticated attackers. CVSS 3.1 score of 4.9 (MEDIUM severity) reflects the requirement for authenticated access and the limited impact (availability only, no confidentiality or integrity breach). The vulnerability is not currently tracked in CISA's Known Exploited Vulnerabilities (KEV) catalog.
Remediation
Apply security patches from Red Hat when available for affected Directory Server and Enterprise Linux versions. Until patches are deployed, restrict high-privilege account access to trusted administrators and monitor LDAP server logs for authentication failures or unexpected crashes. Implement network segmentation to limit who can reach LDAP services, and consider temporary rate-limiting on authentication attempts to slow potential attack attempts. Verify patch applicability with Red Hat's security advisories to confirm version compatibility.
Patch guidance
Check Red Hat's security advisory for CVE-2026-11789 to obtain patched versions of 389 Directory Server and Enterprise Linux packages. Test patches in a staging environment that mirrors your production LDAP setup before rolling out. Monitor authentication performance and server stability during and after patching. If your environment uses a third-party LDAP frontend or load balancer, verify that it does not cache or reuse connections in ways that could mask the fix.
Detection guidance
Monitor 389 Directory Server process behavior for unexpected crashes or frequent restarts correlating with authentication spikes. LDAP logs may show malformed password hash entries or authentication errors preceding crashes. Implement alerting on LDAP server restarts and sudden drops in authentication throughput. Endpoint Detection and Response (EDR) tools can flag repetitive authentication failures from the same high-privilege account. Review recent access logs for any high-privilege accounts attempting unusual operations immediately before crashes.
Why prioritize this
While the CVSS score is moderate (4.9), the vulnerability should be addressed in regular patch cycles because it directly impacts service availability and exploitability is trivial once a high-privilege account is compromised. Organizations should prioritize patching based on their reliance on 389 Directory Server for production authentication. However, this is not a critical emergency if access controls restrict high-privilege accounts and network segmentation is in place.
Risk score, explained
The CVSS 3.1 score of 4.9 reflects a network-accessible service flaw with low attack complexity but a mandatory requirement for authenticated, high-privilege access. The impact is limited to availability (server crash), with no confidentiality or integrity compromise. Unsigned integer underflow bugs are well-understood in the security community, but the prerequisite of valid high-privilege credentials prevents this from being a critical threat. The score appropriately balances the severity of DoS impact against the practical barrier to exploitation.
Frequently asked questions
Can an unauthenticated attacker exploit this vulnerability?
No. The flaw requires valid high-privilege authentication credentials to trigger. Unauthenticated attackers cannot reach the vulnerable code path.
Does this vulnerability compromise user passwords or leak directory data?
No. The vulnerability only causes a buffer over-read that crashes the server. There is no confidentiality or integrity impact; no data is exfiltrated or corrupted.
What should I do if I rely on 389 Directory Server and cannot patch immediately?
Restrict high-privilege account access to trusted administrators, monitor LDAP logs for crashes, and consider implementing network segmentation or rate-limiting on authentication services. Subscribe to Red Hat security advisories for patch availability.
Is this vulnerability actively exploited in the wild?
No. It is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, meaning there is no evidence of active exploitation in the wild as of the current date.
This analysis is based on publicly available information as of the publication date. CVSS scores and vulnerability details are subject to change as new information emerges. Organizations should verify patch availability and applicability directly with Red Hat security advisories. This explainer does not constitute legal or compliance advice. Security teams should test patches in staging environments before production deployment and maintain current backup and disaster-recovery procedures. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-35049MEDIUMWire iOS Denial-of-Service via Malformed Proteus Message
- CVE-2026-37231HIGHFlexRIC xapp_id Counter Overflow Denial of Service
- CVE-2026-42980HIGHWindows NT Kernel Integer Underflow Privilege Escalation Vulnerability
- CVE-2026-42981HIGHWindows Performance Monitor Integer Underflow RCE
- CVE-2026-46107HIGHLinux Kernel dm-thin Reference Count Underflow - Storage Metadata Corruption
- CVE-2026-50593HIGHGraphite Font Integer Underflow & Out-of-Bounds Write Vulnerability
- CVE-2026-10533MEDIUMOpenShift ResourceQuota Bypass Leads to API Server DoS
- CVE-2026-11611MEDIUM389 Directory Server Memory Leak and Race Condition DoS