MEDIUM 4.9

CVE-2026-11793: 389 Directory Server Stack Buffer Overflow in Password Parsing

A stack buffer overflow vulnerability has been identified in 389 Directory Server's password handling code. When parsing specially crafted credentials, the checkPrefix() function in pw.c fails to validate the length of an algorithm identifier before copying it into a fixed 256-byte buffer. An attacker with Directory Manager credentials can exploit this to crash the LDAP server. While the vulnerability could theoretically allow code execution, compiler protections like FORTIFY_SOURCE limit the practical impact to denial of service in most deployments.

Source data · NVD / CISA · public domain

CVSS
3.1 · 4.9 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-121
Affected products
1 configuration(s)
Published / Modified
2026-06-09 / 2026-06-30

NVD description (verbatim)

A stack buffer overflow flaw was found in 389 Directory Server. The checkPrefix() function in pw.c copies an attacker-controlled algorithm ID into a 256-byte stack buffer without bounds checking when parsing reversible-encrypted attribute values. An attacker with Directory Manager privileges can crash the LDAP server by storing a crafted credential with an oversized algorithm ID. FORTIFY_SOURCE mitigates this to denial of service only.

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11793 is a stack buffer overflow (CWE-121) in the checkPrefix() function within 389 Directory Server's pw.c module. The vulnerability occurs during parsing of reversible-encrypted attribute values when an attacker-controlled algorithm ID is copied without bounds checking into a 256-byte stack buffer. The CVSS 3.1 vector (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H) reflects network accessibility, high privilege requirement, and impact limited to availability. Compiler-level protections such as FORTIFY_SOURCE prevent memory corruption from escalating to code execution, constraining the flaw to a denial-of-service condition.

Business impact

The primary risk is service disruption. An attacker with Directory Manager privileges can crash the LDAP server, rendering directory services unavailable for authentication and authorization lookups across dependent applications. In environments where 389 Directory Server is critical to identity and access management, downtime directly impacts user productivity and application availability. The requirement for elevated privileges significantly narrows the attack surface; this is an insider or post-compromise threat rather than a remote unauthenticated attack.

Affected systems

Red Hat 389 Directory Server is affected. Organizations running 389 Directory Server in any deployment model—whether as a standalone identity provider or as part of Red Hat Identity Management (IdM)—should assess their exposure. The vulnerability requires Directory Manager-level credentials to trigger, so impact is limited to scenarios where an attacker has already gained high-privilege access to the directory service or where a malicious administrator exists.

Exploitability

Exploitability is moderate but constrained by access requirements. An attacker must possess or obtain Directory Manager credentials to craft and store a malicious credential with an oversized algorithm ID. The attack is reliable for causing denial of service on vulnerable versions, but FORTIFY_SOURCE mitigations prevent code execution. This is not a remote unauthenticated vulnerability; it requires prior privilege escalation or insider compromise. The straightforward nature of the overflow (simple bounds failure in a parsing function) means exploitation is feasible for any adversary with the required access level.

Remediation

Apply the security update provided by Red Hat for 389 Directory Server. The patch addresses the bounds-checking flaw in the checkPrefix() function. Organizations should prioritize patching in environments where 389 Directory Server supports critical authentication infrastructure. Verify patch applicability and compatibility with your specific deployment, including any custom configurations or dependent systems. Testing in a staging environment before production deployment is recommended.

Patch guidance

Consult the Red Hat Security Advisory corresponding to CVE-2026-11793 for specific patch version numbers, installation procedures, and any pre-requisite updates. Red Hat typically provides patches through official package repositories; use your standard patch management process (yum, dnf, or your configuration management system) to deploy updates. Verify the patch has been applied by confirming the 389 Directory Server version post-update and testing directory service functionality before and after patching. If running 389 Directory Server as part of Identity Management, ensure all related components are updated in coordination.

Detection guidance

Monitor 389 Directory Server logs for unusual credential storage or parsing errors, particularly around the password attribute handling. A server crash or unexpected restart following credential modification attempts may indicate exploitation attempts. Implement logging and alerting for Directory Manager account activity, especially credential creation or modification. Network monitoring for LDAP protocol anomalies (e.g., oversized attribute values in credential payloads) can provide early warning. Intrusion detection systems should be configured to flag suspicious LDAP traffic patterns.

Why prioritize this

While the CVSS score of 4.9 (MEDIUM) reflects limited severity, the vulnerability warrants timely remediation because 389 Directory Server is often mission-critical for authentication and authorization. The requirement for Directory Manager privileges substantially reduces immediate risk in well-segmented environments, but post-compromise scenarios make this a secondary-phase concern for incident response. Organizations with strong access controls and privilege separation can defer this behind critical remote-execution flaws, but those with weak IAM segmentation should prioritize more aggressively. This is a classic examples of a vulnerability that becomes urgent only if initial compromise has occurred.

Risk score, explained

The CVSS 3.1 score of 4.9 reflects a network-accessible denial-of-service flaw with high privilege requirements and no confidentiality or integrity impact. The score appropriately captures the constrained attack surface (Directory Manager access required) and the limited blast radius (availability only). Organizations with robust privilege boundaries and segmentation will see this as lower risk; those with weaker controls or where 389 Directory Server is tightly coupled to critical services may perceive risk as higher due to business context rather than technical severity.

Frequently asked questions

What credentials are required to exploit this vulnerability?

An attacker must have Directory Manager credentials for the 389 Directory Server. Directory Manager is the administrative account with full read and write access to the directory. This is not exploitable by ordinary directory users or unauthenticated attackers.

Does this vulnerability allow remote code execution?

No. While the underlying flaw is a stack buffer overflow, compiler-level protections like FORTIFY_SOURCE prevent the overflow from being weaponized into arbitrary code execution. The practical impact is limited to denial of service (server crash).

If I have FORTIFY_SOURCE enabled, am I fully protected?

FORTIFY_SOURCE mitigates code execution but does not prevent the denial-of-service condition. A Directory Manager can still crash the server by supplying a crafted credential with an oversized algorithm ID. Patching is still necessary to fully remediate the flaw.

How does this affect Red Hat Identity Management (IdM)?

389 Directory Server is the underlying directory component in Red Hat Identity Management. Organizations using IdM should apply the corresponding security update to ensure their identity infrastructure is protected against this denial-of-service vector.

This analysis is provided for informational purposes to support vulnerability management and security decision-making. While we have made reasonable efforts to ensure accuracy, we make no warranties regarding the completeness or correctness of the information herein. Organizations should verify all technical details, patch applicability, and vendor guidance against official Red Hat security advisories and their own infrastructure specifications. Patch versions, timelines, and compatibility matrices must be validated with vendor documentation before deployment. This vulnerability analysis does not constitute legal or compliance advice; consult your compliance team regarding regulatory reporting requirements. SEC.co and its analysts assume no liability for actions taken in reliance on this information. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).