CVE-2026-11884: 389 Directory Server Heap Buffer Overflow in Schema Serialization
A flaw in 389 Directory Server allows an attacker with administrative privileges—or someone controlling a replication server—to crash the service by creating directory object definitions with unusually long inheritance fields. The underlying issue is that the server calculates buffer space without accounting for the full size of these fields, leading to memory corruption when data is written. This is a remnant of an earlier incomplete patch attempt.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
- Weaknesses (CWE)
- CWE-122
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-10 / 2026-06-30
NVD description (verbatim)
A heap buffer overflow flaw was found in 389 Directory Server. When serializing objectclass definitions, the oc_superior (SUP) field length is omitted from buffer size calculations in read_schema_dse() and schema_oc_to_string(), but the field is still written via strcat(). An attacker with Directory Manager privileges, or a compromised replication supplier, can trigger a server crash by creating objectclasses with long SUP values. This is an incomplete fix variant of CVE-2025-14905.
3 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11884 is a heap buffer overflow in 389 Directory Server's schema serialization logic. The vulnerable functions read_schema_dse() and schema_oc_to_string() fail to include the oc_superior (SUP) field length in buffer size calculations, yet the field is still written into the buffer via strcat(). An attacker with Directory Manager privileges or control of a replication supplier can craft objectclass definitions with abnormally long SUP values to trigger heap corruption and denial of service. The vulnerability represents an incomplete remediation of CVE-2025-14905.
Business impact
Directory Server outages disrupt authentication and authorization for dependent applications. An internal attacker or compromised replication partner can force repeated crashes, degrading or disabling LDAP services that many enterprises rely on for identity management. Recovery requires manual intervention and restart, extending downtime. For organizations using 389 DS as their primary directory backbone, this creates a material availability risk.
Affected systems
389 Directory Server is vulnerable. Affected versions have not been disclosed in available advisories; verify the exact affected version range and patched releases directly with Red Hat's security advisory for this CVE. Replication topologies are at higher risk because a compromised or malicious replication supplier can inject the malicious schema without needing local Directory Manager credentials.
Exploitability
Exploitation requires either Directory Manager-level credentials within the same directory, or compromise of a replication supplier system. Network access to the LDAP port (typically 389/636) is necessary, but the CVSS vector reflects that no user interaction is required once the attacker has the needed privilege level. The attack is straightforward: create an objectclass with an oversized SUP field and trigger schema serialization. No sophisticated exploitation technique is needed.
Remediation
Apply the security patch released by Red Hat for 389 Directory Server that addresses CVE-2026-11884. The patch corrects buffer size calculations in schema serialization to account for all fields, including oc_superior. Additionally, restrict Directory Manager account access to trusted administrators and audit replication supplier configurations to detect unauthorized or compromised peers.
Patch guidance
Obtain and deploy the patched version of 389 Directory Server from Red Hat's official repositories. Verify the patch version against the official CVE advisory before deployment. Test the update in a non-production environment first to ensure compatibility with your replication topology and dependent services. Restart the affected Directory Server instances after patching. Monitor for any schema-related errors in logs post-deployment.
Detection guidance
Monitor 389 Directory Server logs for unexpected schema modification attempts, particularly those involving objectclass creation with unusually long attribute values. Watch for unscheduled service restarts or crashes correlated with LDAP replication events or administrative tool usage. Heap buffer overflow patterns may appear as segmentation faults in server logs or core dumps. Network-based detection is limited; focus on log analysis and access controls to identify suspicious Directory Manager activity or replication anomalies.
Why prioritize this
Although scored MEDIUM (6.5), this vulnerability warrants prompt attention because it enables denial of service in a critical identity service. The attack surface is narrow—requiring high privilege or replication compromise—but the impact (service unavailability) is significant. Organizations should prioritize patching after addressing CRITICAL and HIGH vulnerabilities, but well ahead of lower-severity issues.
Risk score, explained
The CVSS 3.1 score of 6.5 (MEDIUM) reflects the requirement for elevated privileges (PR:H) to exploit the flaw and the absence of confidentiality impact (C:N). However, integrity and availability are both affected (I:H/A:H), as the attacker can corrupt memory and crash the service. The network attack vector (AV:N) and low attack complexity (AC:L) keep the score from being lower, but high privilege requirement prevents a higher rating. The score appropriately balances the operational severity against the narrow attack surface.
Frequently asked questions
Can an unauthenticated attacker exploit this vulnerability?
No. The attacker must either hold Directory Manager credentials or control a replication supplier system. Unauthenticated LDAP connections cannot trigger the flaw.
What is the difference between this CVE and CVE-2025-14905?
CVE-2026-11884 is described as an incomplete fix variant of CVE-2025-14905. The earlier patch did not fully address the buffer calculation issue; the oc_superior field was still omitted from size calculations in certain code paths. This CVE represents a regression or incomplete remediation that was later discovered.
Is there a workaround if we cannot patch immediately?
Restrict Directory Manager account access to a small set of trusted administrators and implement strict access controls around replication suppliers. These steps reduce the attack surface but do not eliminate the vulnerability. Patching remains the definitive remediation.
How does this affect replicated Directory Server deployments?
In replication topologies, a compromised supplier can inject malicious schema updates to consumer servers. The attack then propagates across the replication agreement, potentially crashing multiple instances. Verify the security posture of all replication partners and apply patches uniformly across the topology.
This analysis is provided for informational purposes and represents a point-in-time assessment based on publicly available data as of the publication date. Affected product versions, patch releases, and vendor advisories must be verified directly with Red Hat's official security resources. No exploit code is provided. Organizations should conduct independent risk assessment in their specific environment. SEC.co makes no warranty regarding the completeness or accuracy of remediation steps; consult vendor documentation and internal security policy before deployment. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2025-55664MEDIUMGPAC MP4Box Heap Buffer Overflow DoS Vulnerability
- CVE-2026-10194MEDIUMOFFIS DCMTK Heap Buffer Overflow in Query/Retrieve Service
- CVE-2026-10200MEDIUMAssimp 6.0.4 Heap Buffer Overflow in glTF Matrix Parser
- CVE-2026-10229MEDIUMAssimp Half-Life MDL Loader Heap Buffer Overflow
- CVE-2026-10230MEDIUMAssimp Half-Life MDL Loader Heap Buffer Overflow Vulnerability
- CVE-2026-10231MEDIUMAssimp Heap Buffer Overflow in HL1 MDL Loader
- CVE-2026-10993MEDIUMChrome Skia Heap Buffer Overflow Allows Memory Information Disclosure
- CVE-2026-11143MEDIUMChrome Linux Extension Out-of-Bounds Read Memory Leak