๐Ÿ” CVE Alert

CVE-2026-11610

HIGH 8.8

389-ds-base: 389-ds-base: heap buffer overflow in sasl_io_recv() via padded sasl unbind

CVSS Score
8.8
EPSS Score
0.6%
EPSS Percentile
46th

A heap buffer overflow flaw was found in the SASL I/O layer of 389 Directory Server (389-ds-base). After a successful SASL bind with integrity protection (SSF > 0), an authenticated attacker can send a specially crafted oversized LDAP UNBIND packet that is copied into a 512-byte heap receive buffer without a bounds check in sasl_io_recv() in sasl_io.c. This allows up to approximately 2 megabytes of attacker-controlled data to overflow the buffer, causing a denial of service (server crash). In FreeIPA and Red Hat Identity Management deployments, any domain user with a valid Kerberos ticket, any enrolled host, or any service account can trigger this vulnerability over the network after authenticating via GSSAPI. The vulnerable code path has existed since approximately 2013 (389-ds-base 1.3.2) and was not addressed by the CVE-2025-14905 fix, which patched a separate heap overflow in schema.c only.

CWE CWE-122
Vendor 389ds
Product 389-ds-base
Published Jul 7, 2026
Last Updated Jul 8, 2026
Stay Ahead of the Next One

Get instant alerts for 389ds 389-ds-base

Be the first to know when new high vulnerabilities affecting 389ds 389-ds-base are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Affected Versions

389ds / 389-ds-base
1.3.2 โ‰ค 3.3.0
Red Hat / Red Hat Directory Server 11.5 E4S for RHEL 8
All versions affected
Red Hat / Red Hat Directory Server 11.7 E4S for RHEL 8
All versions affected
Red Hat / Red Hat Directory Server 11.9 for RHEL 8
All versions affected
Red Hat / Red Hat Directory Server 12.2 E4S for RHEL 9
All versions affected
Red Hat / Red Hat Directory Server 12.4 E4S for RHEL 9
All versions affected
Red Hat / Red Hat Enterprise Linux 10
All versions affected
Red Hat / Red Hat Enterprise Linux 10.0 Extended Update Support
All versions affected
Red Hat / Red Hat Enterprise Linux 7 Extended Lifecycle Support
All versions affected
Red Hat / Red Hat Enterprise Linux 8
All versions affected
Red Hat / Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
All versions affected
Red Hat / Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On
All versions affected
Red Hat / Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
All versions affected
Red Hat / Red Hat Enterprise Linux 8.6 Extended Update Support Long-Life Add-On
All versions affected
Red Hat / Red Hat Enterprise Linux 8.8 Telecommunications Update Service
All versions affected
Red Hat / Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions
All versions affected
Red Hat / Red Hat Enterprise Linux 9
All versions affected
Red Hat / Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions
All versions affected
Red Hat / Red Hat Enterprise Linux 9.4 Update Services for SAP Solutions
All versions affected
Red Hat / Red Hat Enterprise Linux 9.6 Extended Update Support
All versions affected
Red Hat / Red Hat Directory Server 13.2
All versions affected
Red Hat / Red Hat Directory Server 12
All versions affected
Red Hat / Red Hat Directory Server 13
All versions affected
Red Hat / Red Hat Enterprise Linux 6
All versions affected

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
access.redhat.com: https://access.redhat.com/errata/RHSA-2026:36195 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:36196 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:36197 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:36198 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:36200 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:36201 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:36202 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:36204 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:36205 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:36206 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:36208 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:36209 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:36585 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:36641 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:36660 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:36670 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:36671 access.redhat.com: https://access.redhat.com/security/cve/CVE-2026-11610 bugzilla.redhat.com: https://bugzilla.redhat.com/show_bug.cgi?id=2484414

Credits

This issue was discovered by Ian Murphy (Red Hat).