CVE-2026-9064
Description
A flaw was found in 389-ds-base. The get_ldapmessage_controls_ext() function in the LDAP server does not enforce an upper bound on the number of controls per LDAP message. A remote, unauthenticated attacker can send a specially crafted LDAP request containing hundreds of thousands of minimal controls within the default maximum BER message size (2 MB), causing excessive CPU consumption and heap allocation on the server. Under concurrent exploitation, this leads to significant latency degradation, worker thread starvation, or out-of-memory termination, resulting in a denial of service.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Mitigation details
Description 389-ds-base: 389-ds-base: unbounded LDAP controls count in get_ldapmessage_controls_ext() causes CPU and heap amplification (remote DoS) Red Hat statement This vulnerability is rated Important for Red Hat products shipping 389-ds-base. A remote, unauthenticated attacker with network access to the LDAP port can send a single crafted LDAP request containing an excessive number ofโฆ
Description
389-ds-base: 389-ds-base: unbounded LDAP controls count in get_ldapmessage_controls_ext() causes CPU and heap amplification (remote DoS)
Red Hat statement
This vulnerability is rated Important for Red Hat products shipping 389-ds-base. A remote, unauthenticated attacker with network access to the LDAP port can send a single crafted LDAP request containing an excessive number of minimal controls, causing the server to perform unbounded memory allocations and consume significant CPU time. Under concurrent attack, this can degrade or deny directory service availability through worker thread starvation or out-of-memory conditions. The vulnerability is mitigated in environments where the LDAP port is not exposed to untrusted networks (firewall/ACL restrictions). Additionally, lowering nsslapd-maxbersize reduces the maximum message size (and thus the upper bound on controls per message), though this does not fully eliminate the amplification since it caps bytes rather than control count. The definitive fix requires enforcing a maximum controls-per-message limit in the decode loop.
CVSS v3: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Package state
| Product | Package | State |
|---|---|---|
| Red Hat Directory Server 11 | redhat-ds:11/389-ds-base | Affected |
| Red Hat Directory Server 12 | redhat-ds:12/389-ds-base | Affected |
| Red Hat Directory Server 13 | 389-ds-base | Will not fix |
| Red Hat Enterprise Linux 10 | 389-ds-base | Affected |
| Red Hat Enterprise Linux 6 | 389-ds-base | Out of support scope |
| Red Hat Enterprise Linux 7 | 389-ds-base | Affected |
| Red Hat Enterprise Linux 8 | 389-ds:1.4/389-ds-base | Affected |
| Red Hat Enterprise Linux 9 | 389-ds-base | Affected |
Affected
| Vendor | Product | Version |
|---|---|---|
| redhat | Red Hat Directory Server 11 | Affected |
| redhat | Red Hat Directory Server 12 | Affected |
| redhat | Red Hat Enterprise Linux 10 | Affected |
| redhat | Red Hat Enterprise Linux 7 | Affected |
| redhat | Red Hat Enterprise Linux 8 | Affected |
| redhat | Red Hat Enterprise Linux 9 | Affected |
OS impact
Debian Affected 4 releases
| Version | Status | Fixed in |
|---|---|---|
| trixie | Affected | โ |
| sid | Affected | โ |
| bullseye | Affected | โ |
| bookworm | Affected | โ |
Red Hat Affected 5 releases
| Version | Status | Fixed in |
|---|---|---|
| 10.0 | Affected | โ |
| 9.0 | Affected | โ |
| 8.0 | Affected | โ |
| 7.0 | Affected | โ |
| 6.0 | Affected | โ |
SUSE Affected 1 release
| Version | Status | Fixed in |
|---|---|---|
| โ | Affected | โ |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| redhat | directory_server | 11.0 | |
| redhat | directory_server | 12.0 | |
| redhat | directory_server | 13.0 | |
References
CWEs
CWE-770
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.