CVE-2026-9064

EUVD-2026-31079
A flaw was found in 389-ds-base. The get_ldapmessage_controls_ext() function in the LDAP server does not enforce an upper bound on the number of controls per LDAP message. A remote, unauthenticated attacker can send a specially crafted LDAP request containing hundreds of thousands of minimal controls within the default maximum BER message size (2 MB), causing excessive CPU consumption and heap allocation on the server. Under concurrent exploitation, this leads to significant latency degradation, worker thread starvation, or out-of-memory termination, resulting in a denial of service.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 52%
Affected Products (NVD)
VendorProductVersion
redhatdirectory_server
11.0
redhatdirectory_server
12.0
redhatdirectory_server
13.0
redhat389_directory_server
-
redhatenterprise_linux
6.0
redhatenterprise_linux
7.0
redhatenterprise_linux
8.0
redhatenterprise_linux
9.0
redhatenterprise_linux
10.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
389-ds-base
bookworm
vulnerable
bullseye
vulnerable
bullseye (security)
vulnerable
sid
vulnerable
trixie
vulnerable
Red Hat logo
Red Hat Enterprise Linux Releases
Red Hat Product
Release
389-ds-base
RHEL 9
0:2.8.0-7.el9_8
fixed
389-ds-base-devel
RHEL 9
0:2.8.0-7.el9_8
fixed
389-ds-base-libs
RHEL 9
0:2.8.0-7.el9_8
fixed
389-ds-base-snmp
RHEL 9
0:2.8.0-7.el9_8
fixed
python3-lib389
RHEL 9
0:2.8.0-7.el9_8
fixed
Amazon Linux logo
Amazon Linux Releases
Amazon Package
Release
389-ds-base
Amazon Linux 2
0:1.3.10.2-17.amzn2.0.6
fixed
389-ds-base-debuginfo
Amazon Linux 2
0:1.3.10.2-17.amzn2.0.6
fixed
389-ds-base-devel
Amazon Linux 2
0:1.3.10.2-17.amzn2.0.6
fixed
389-ds-base-libs
Amazon Linux 2
0:1.3.10.2-17.amzn2.0.6
fixed
389-ds-base-snmp
Amazon Linux 2
0:1.3.10.2-17.amzn2.0.6
fixed
References