CVE-2026-11792: 389 Directory Server Heap Buffer Overflow in Audit Logging
A memory corruption flaw exists in 389 Directory Server's audit logging feature. When audit logging is enabled and certain password storage conditions are met, the server can write more data than a buffer can hold, corrupting memory and producing garbled audit logs. The vulnerability requires non-standard configuration or a compromised replication partner to trigger, which limits real-world exposure.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 3.3 LOW · CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:L
- Weaknesses (CWE)
- CWE-122
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-30
NVD description (verbatim)
A heap buffer overflow flaw was found in 389 Directory Server. When audit logging is enabled, the create_masked_entry_string() function in auditlog.c copies a fixed-length password mask into a precisely-sized heap buffer without checking available space. If a short cleartext password is logged (requiring non-default CLEAR password storage or a compromised replication peer), the copy overflows the buffer, corrupting heap memory and audit log output.
3 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11792 is a heap buffer overflow in the create_masked_entry_string() function within auditlog.c. The function copies a fixed-length password mask into a heap buffer without verifying sufficient space remains. The overflow occurs only when audit logging is active and a short cleartext password is logged—a condition that requires either non-default CLEAR password storage policy or password data arriving from a compromised replication peer. The flaw corrupts heap metadata and produces malformed audit log entries.
Business impact
The business impact is limited by the exploitation constraints. An organization running 389 Directory Server with audit logging would experience audit log corruption, potentially obscuring compliance records and incident investigation trails. No confidentiality breach occurs. Availability impact is also low unless heap corruption triggers a crash, which is not guaranteed. Organizations relying on audit logs for security monitoring or regulatory compliance should address this, but the threat does not represent immediate operational risk.
Affected systems
The vulnerability affects 389 Directory Server installations with audit logging enabled. The specific conditions—short cleartext passwords and non-default storage policies—are uncommon in typical deployments. Replication scenarios involving a compromised peer represent an additional attack surface. Organizations should verify their password storage settings and audit logging configuration to determine exposure.
Exploitability
Exploitability is constrained by multiple prerequisites. An attacker must either compromise a replication peer to inject malicious password data, or the target must be running a non-standard configuration that stores cleartext passwords. Neither condition is typical. The CVSS vector (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:L) reflects high attack complexity and required high privileges. No public exploit code is known, and active exploitation in the wild is unlikely.
Remediation
Apply the security patch released by Red Hat for 389 Directory Server. Verify the patch version against the vendor advisory. In the interim, review password storage policies to ensure CLEAR storage is not enabled unless operationally necessary. Audit logging can be temporarily disabled if compliance requirements permit, though this reduces detective capabilities. Segregate replication connections and monitor for unauthorized replication attempts.
Patch guidance
Check the Red Hat Security Advisory for 389 Directory Server CVE-2026-11792 for the specific patched version applicable to your release branch. Deploy patches in your change management process with priority appropriate for a LOW-severity flaw with limited real-world exploitation potential. Verify audit logging functionality after patching to confirm no regression.
Detection guidance
Monitor 389 Directory Server audit logs for malformed or truncated entries, particularly those involving password operations. Alert on unexpected heap corruption indicators if available through your monitoring tools. Review replication peer configurations and restrict replication to trusted, hardened systems. Check system logs for unexpected crashes or segmentation faults in the Directory Server process, which could indicate heap memory corruption.
Why prioritize this
This is a low-priority patch driven by the combination of low CVSS score (3.3), multiple exploitation prerequisites, and low real-world attack likelihood. It does not appear on the CISA KEV catalog. Prioritize patches for critical and high-severity vulnerabilities first; schedule this for routine maintenance windows. However, organizations with strict compliance audit requirements should move it forward in their queue because audit log integrity has secondary compliance value.
Risk score, explained
CVSS 3.3 (LOW) reflects: minimal confidentiality impact, low integrity impact limited to audit logs, minimal availability impact, network accessibility, but very high attack complexity (AC:H) due to password storage and replication preconditions, and requirement for high privileges (PR:H). The flaw is real and should be patched, but real-world risk is substantially lower than the CVSS alone suggests because the prerequisites are uncommon.
Frequently asked questions
Do we need to patch immediately if we use 389 Directory Server?
No. Apply this patch as part of routine maintenance windows. The vulnerability requires multiple uncommon conditions: non-default password storage, audit logging enabled, and a short cleartext password. If you are using standard configurations with hashed passwords, your risk is minimal. Verify your setup before determining urgency.
What happens if the heap buffer overflows?
The overflow corrupts heap memory adjacent to the buffer, potentially damaging the audit log structure itself. This results in garbled or incomplete audit log entries. A crash is possible but not guaranteed. Confidential data is not leaked because the overflow affects internal buffers, not adjacent sensitive data structures.
Can this be exploited over the network without internal access?
The vulnerability itself is remotely accessible over the network. However, triggering it requires either compromising a replication peer (complex and rare) or configuring the target server in an unusual way. The CVSS vector reflects this with high attack complexity. Most deployments are not at risk.
Does disabling audit logging eliminate the risk?
Yes, disabling audit logging completely prevents the code path from executing. However, audit logs are typically required for compliance and security monitoring. A better approach is to apply the patch and retain logging.
This analysis is provided for informational purposes. It is based on the published CVE record and vendor advisory as of the analysis date. Specific patch versions, affected product builds, and deployment guidance should be verified directly with Red Hat's security advisory. SEC.co makes no warranty regarding the completeness or accuracy of this analysis. Organizations should conduct their own risk assessment based on their specific configurations, dependencies, and compliance requirements. This document does not constitute professional security advice or a substitute for consultation with your security team or vendor support. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-40528LOWOpenSC Buffer Overflow in pkcs15-init Profile Parser
- CVE-2025-55664MEDIUMGPAC MP4Box Heap Buffer Overflow DoS Vulnerability
- CVE-2026-0059HIGHAndroid Heap Buffer Overflow in SDP Discovery – Remote Code Execution
- CVE-2026-0100HIGHAndroid Heap Buffer Overflow Local Privilege Escalation
- CVE-2026-10194MEDIUMOFFIS DCMTK Heap Buffer Overflow in Query/Retrieve Service
- CVE-2026-10200MEDIUMAssimp 6.0.4 Heap Buffer Overflow in glTF Matrix Parser
- CVE-2026-10229MEDIUMAssimp Half-Life MDL Loader Heap Buffer Overflow
- CVE-2026-10230MEDIUMAssimp Half-Life MDL Loader Heap Buffer Overflow Vulnerability