CVE-2026-11774 - Vulnerability Details

- 389-ds-base: 389-ds-base: integer overflow in sasl packet length bypasses size limit leading to heap buffer overflow

Description

An integer overflow flaw was found in the SASL I/O layer of 389 Directory Server (389-ds-base). In sasl_io_start_packet(), adding sizeof(uint32_t) to a crafted SASL packet length prefix of 0xFFFFFFFC causes unsigned wraparound to zero, bypassing the nsslapd-maxsasliosize limit and leading to a heap buffer overflow of up to approximately 2 megabytes of attacker-controlled data. After a successful SASL bind with integrity protection (SSF > 0), a remote attacker can cause a Denial of Service (DoS) or achieve Remote Code Execution (RCE). In FreeIPA and Red Hat Identity Management deployments, any domain user with a valid Kerberos ticket, enrolled host, or service account can trigger this vulnerability over the network. This flaw is independent of CVE-2025-14905, which patched schema.c only and did not modify sasl_io.c.

Published: 2026-06-11

Score: 7.6 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

An integer overflow flaw was discovered in the SASL I/O layer of 389 Directory Server (389-ds-base). In the function sasl_io_start_packet, adding a 32‑bit integer to a crafted SASL packet length prefix of 0xFFFFFFFC triggers unsigned wrap‑around to zero, bypassing the nsslapd-maxsasliosize limit and creating a heap buffer overflow that can exceed 2 megabytes of attacker‑controlled data. After a successful SASL bind with integrity protection (SSF > 0), a remote attacker can cause a denial of service or achieve remote code execution. In FreeIPA and Red‑Hat Identity Management deployments, any domain user with a valid Kerberos ticket, enrolled host, or service account is able to trigger this vulnerability over the network, and the flaw is independent of CVE‑2025‑14905.

Affected Systems

Affected systems include Red Hat Directory Server 11, 12, and 13 as well as Red Hat Enterprise Linux releases 6, 7, 8, 9, and 10. The issue resides in the 389‑ds‑base product and applies to all listed RHEL distributions that install or rely on the Directory Server component.

Risk and Exploitability

The CVSS score of 7.6 classifies the vulnerability as high severity, but the EPSS score is not available and the flaw is not listed in CISA's KEV catalog. The likely attack vector requires only remote access to LDAP over standard ports 389 or 636 and an authenticated SASL bind, making it feasible in environments that expose these ports to untrusted networks or rely on FreeIPA or domain users with Kerberos tickets. Mitigation measures can reduce exposure but do not eliminate the issue; upgrading glibc on RHEL 8 reduces RCE exploitability but does not solve the denial‑of‑service potential.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor	Product	Default status	Versions
Red Hat	Red Hat Directory Server 11	affected	—
Red Hat	Red Hat Directory Server 12	affected	—
Red Hat	Red Hat Directory Server 13	affected	—
Red Hat	Red Hat Enterprise Linux 10	affected	—
Red Hat	Red Hat Enterprise Linux 6	unaffected	—
Red Hat	Red Hat Enterprise Linux 7	affected	—
Red Hat	Red Hat Enterprise Linux 8	affected	—
Red Hat	Red Hat Enterprise Linux 9	affected	—

No data.

No data available yet.

Remediation

Vendor Workaround

No complete workaround exists; nsslapd-maxsasliosize is bypassed by the integer overflow. Mitigations that reduce exposure: restrict SASL mechanisms (disable DIGEST-MD5 if not required; GSSAPI cannot be disabled in FreeIPA/IdM without breaking Kerberos authentication); firewall LDAP ports (389/636) to trusted networks; monitor for SASL-framed packets with length prefix 0xFFFFFFFC through 0xFFFFFFFF; enable audit logging (nsslapd-auditlog-logging-enabled: on); on RHEL 8, upgrading glibc reduces RCE exploitability but does not eliminate DoS.

OpenCVE Recommended Actions

Restrict SASL mechanisms to only those required – disable DIGEST‑MD5 when it is not needed; note GSSAPI cannot be disabled in FreeIPA or Identity Management without breaking Kerberos authentication.
Use firewall rules to restrict LDAP traffic on ports 389 and 636 to trusted networks only, blocking unauthenticated or unknown hosts.
Configure monitoring or logging to detect SASL‑framed packets whose length prefix falls in the range 0xFFFFFFFC to 0xFFFFFFFF, and audit any such activity.
Enable audit logging for the Directory Server by setting nsslapd-auditlog-logging-enabled to 'on' to capture SASL binding attempts.
On Red Hat Enterprise Linux 8, upgrade glibc to the latest patched version, which mitigates remote‑code‑execution exploitability.
Apply any vendor‑issued patch or update for 389‑Directory Server or the affected RHEL products as soon as it becomes available.

Generated by OpenCVE AI on June 11, 2026 at 22:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://access.redhat.com/security/cve/CVE-2026-11774
https://bugzilla.redhat.com/show_bug.cgi?id=2484916
https://redhat.atlassian.net/browse/PSIRTSUPT-7600

History

Thu, 11 Jun 2026 19:00:00 +0000

Type	Values Removed	Values Added
Description		An integer overflow flaw was found in the SASL I/O layer of 389 Directory Server (389-ds-base). In sasl_io_start_packet(), adding sizeof(uint32_t) to a crafted SASL packet length prefix of 0xFFFFFFFC causes unsigned wraparound to zero, bypassing the nsslapd-maxsasliosize limit and leading to a heap buffer overflow of up to approximately 2 megabytes of attacker-controlled data. After a successful SASL bind with integrity protection (SSF > 0), a remote attacker can cause a Denial of Service (DoS) or achieve Remote Code Execution (RCE). In FreeIPA and Red Hat Identity Management deployments, any domain user with a valid Kerberos ticket, enrolled host, or service account can trigger this vulnerability over the network. This flaw is independent of CVE-2025-14905, which patched schema.c only and did not modify sasl_io.c.
Title		389-ds-base: 389-ds-base: integer overflow in sasl packet length bypasses size limit leading to heap buffer overflow
First Time appeared		Redhat Redhat directory Server Redhat enterprise Linux
Weaknesses		CWE-190
CPEs		cpe:/a:redhat:directory_server:11 cpe:/a:redhat:directory_server:12 cpe:/a:redhat:directory_server:13 cpe:/o:redhat:enterprise_linux:10 cpe:/o:redhat:enterprise_linux:6 cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:8 cpe:/o:redhat:enterprise_linux:9
Vendors & Products		Redhat Redhat directory Server Redhat enterprise Linux
References		https://access.redhat.com/security/cve/CVE-2026-11774 https://bugzilla.redhat.com/show_bug.cgi?id=2484916 https://redhat.atlassian.net/browse/PSIRTSUPT-7600
Metrics		cvssV3_1 `{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H'}`

Subscriptions

Redhat Directory Server Enterprise Linux

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2026-06-11T17:54:34.539Z

Updated: 2026-06-11T17:54:34.539Z

Reserved: 2026-06-09T11:57:25.581Z

Link: CVE-2026-11774

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-06-11T19:16:37.853

Modified: 2026-06-11T20:56:29.653

Link: CVE-2026-11774

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-11T21:15:07Z

Weaknesses

CWE-190
Integer Overflow or Wraparound

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object