MEDIUM 4.9

CVE-2026-11790: 389 Directory Server PBKDF2 Denial of Service Vulnerability

389 Directory Server contains a weakness in how it handles password verification when using PBKDF2-SHA256 encryption. An attacker with administrative access can tamper with a user's stored password hash to include an extremely high iteration count. When that user (or an automated system) attempts to authenticate, the server wastes excessive CPU resources recalculating the password hash, effectively freezing responsiveness for legitimate users. This is a denial-of-service attack that requires the attacker to already have administrative privileges to modify password data.

Source data · NVD / CISA · public domain

CVSS
3.1 · 4.9 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-400
Affected products
8 configuration(s)
Published / Modified
2026-06-09 / 2026-06-30

NVD description (verbatim)

A flaw was found in 389 Directory Server. The PBKDF2-SHA256 password storage plugin does not enforce an upper bound on the iteration count extracted from stored password hashes. A privileged attacker who can modify a user's password hash can cause excessive CPU consumption during authentication, resulting in denial of service.

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The PBKDF2-SHA256 password storage plugin in 389 Directory Server fails to validate an upper bound on the iteration count parameter embedded in password hash strings. PBKDF2 uses iteration counts to increase computational cost and slow brute-force attacks, but without a ceiling, an attacker with write access to the directory database can inject arbitrarily large iteration values. During authentication, the server faithfully executes that inflated iteration count, consuming disproportionate CPU cycles and causing service degradation. This maps to CWE-400 (Uncontrolled Resource Consumption).

Business impact

Organizations running 389 Directory Server as their authentication backbone face potential authentication service outages if an insider or compromised administrator tampers with password hashes. During peak login periods or batch authentication operations, even a single malicious hash with an extreme iteration count can degrade response times across the directory service, affecting user logons, application authentication, and potentially downstream systems that depend on timely LDAP responses. Recovery requires either administrative intervention to reset the affected user's password or restart of the directory service.

Affected systems

Red Hat Directory Server and 389 Directory Server installations are affected. This also impacts Red Hat Enterprise Linux systems that bundle or depend on 389 Directory Server for authentication. The vulnerability does not affect other directory services (Active Directory, OpenLDAP, etc.) unless they also use a vulnerable password plugin configuration. Confirm affected versions against Red Hat security advisories.

Exploitability

Exploitation requires high privilege: the attacker must already have administrative or database-level write access to modify password hashes in the directory. This is not a remote unauthenticated vulnerability. Once an attacker has that level of access, the attack is trivial—simply crafting a hash with a large iteration count requires no special tools. The impact (denial of service) is reliable and difficult for defenders to detect in real time without monitoring CPU usage during authentication events.

Remediation

Apply vendor security updates from Red Hat that patch the PBKDF2-SHA256 plugin to enforce a reasonable upper bound on iteration counts. In the interim, restrict administrative and database-level access to the directory server, audit password hash modifications, and monitor CPU consumption during authentication spikes. Consider implementing rate limiting or connection throttling on the authentication service to mitigate the effect of resource-exhaustion attacks.

Patch guidance

Obtain the latest security advisory from Red Hat for 389 Directory Server and Red Hat Enterprise Linux. The patch will include validation logic to reject or cap iteration counts at a safe threshold. Apply updates in a staging environment first, verify that legitimate password verification performance is unaffected, and then deploy to production. Organizations should prioritize patching systems that serve as centralized authentication providers.

Detection guidance

Monitor LDAP server CPU utilization during authentication requests, particularly for spikes that correlate with failed or slow logins. Review audit logs for unexpected modifications to user password hashes, especially by privileged accounts. Implement alerting on password hash changes that occur outside of normal password-change workflows. Network-side detection is difficult; focus on host-based monitoring of directory server process resource usage and access logs.

Why prioritize this

Although the CVSS score is medium (4.9) and exploitation requires high privilege, the impact—authentication service denial of service—is operationally severe. Many organizations depend on directory servers for mission-critical logon and authorization. An insider threat or compromised admin account can immediately degrade authentication availability. Prioritize patching in environments where 389 Directory Server is the primary authentication provider.

Risk score, explained

The CVSS 3.1 score of 4.9 (MEDIUM) reflects that high privilege is required to modify password hashes, limiting the attack surface. However, the attack vector is network-accessible (CVSS AV:N), no user interaction is needed, and the impact on availability is high (CVSS A:H). The score appropriately downgrades due to the privilege requirement (PR:H), but organizations should recognize that insider threats or admin account compromise elevate this risk significantly in practice.

Frequently asked questions

Can an attacker exploit this without administrative access?

No. The vulnerability requires the ability to modify user password hashes in the directory database. This typically demands directory administrator or backend database access. An attacker cannot exploit this remotely by simply sending malformed authentication requests.

Does patching this require a directory server restart?

That depends on the specific patch approach; verify against the Red Hat advisory. Some patches may allow hot reload of the plugin without restart, while others may require a service restart. Plan maintenance windows accordingly, especially if your directory server is a single point of authentication.

Are other PBKDF2 implementations affected?

Not necessarily. This vulnerability is specific to 389 Directory Server's implementation of the PBKDF2-SHA256 storage plugin. Other applications, libraries, or directory services that use PBKDF2 may have their own iteration-count validation; assess each separately.

What should I do if I cannot patch immediately?

Strengthen access controls on your directory server and database—limit who can modify user entries. Enable detailed audit logging of password hash changes. Monitor CPU usage during authentication for anomalies. If feasible, consider using a different password hash algorithm (if supported) as a temporary workaround, though this requires careful testing.

This analysis is based on the CVE record and vendor information available as of the publication date. Specific patch versions, affected product builds, and remediation timelines should be verified against Red Hat's official security advisories. This document does not constitute legal advice or guarantee of security. Organizations are responsible for assessing their own exposure and implementing appropriate controls based on their risk tolerance and operational requirements. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).