Description
A flaw was found in 389 Directory Server. The ldap_utf8prev() function reads bytes before the start of a buffer without bounds checking, causing a heap buffer over-read in string filter parsing that may influence internal filter processing behavior.
Published: 2026-06-09
Score: 5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in 389 Directory Server causes the ldap_utf8prev() function to read bytes before the start of a buffer during string filter parsing, resulting in a heap buffer over‑read identified as CWE‑126. When an LDAP client sends a specially crafted filter, the server can access memory outside the intended buffer, potentially revealing sensitive data or corrupting internal state. The effect on confidentiality, integrity, or availability is limited to data leakage or the disruption of filter processing, which may lead to incorrect search results or a denial of service.

Affected Systems

The vulnerability affects Red Hat Directory Server 11, 12, and 13, as well as Red Hat Enterprise Linux releases 6 through 10, all of which include the 389‑ds‑base component.

Risk and Exploitability

The CVSS score of 5.0 indicates moderate severity, and the EPSS score is not available while the CVE is not listed in CISA KEV. Exploitation requires an LDAP client that can send explicit search filters to the server; the over‑read itself does not provide remote code execution but can cause data exposure or DoS. Network‑level mitigations such as proxies or WAFs are ineffective against this code‑level bug, so the primary risk remains for systems exposed to LDAP traffic where arbitrary filters can be sent.

Generated by OpenCVE AI on June 9, 2026 at 14:52 UTC.

Remediation

Vendor Workaround

No direct workaround addresses the code-level bug; network-level mitigations (proxies, WAFs, filter validation) do not apply. Mitigation measures to reduce exposure: restrict plugin configuration access (MEP originFilter, UID uniqueness nsUniqueAttribute, strict ACIs on cn=config); restrict Directory Manager access for ACI, MEP, or uniqueness plugin configuration; harden replication topology to restrict replication peers; monitor for anomalous search result sets that may indicate exploitation.

OpenCVE Recommended Actions

  • Apply the vendor patch for the over‑read flaw when it becomes available and upgrade to the latest supported version of Red Hat Directory Server.
  • Restrict administrative access to plugin configuration such as originFilter, UID uniqueness (nsUniqueAttribute), and strict ACIs on cn:config so that only trusted personnel can modify these settings.
  • Limit Directory Manager privileges related to ACI, MEP, or uniqueness plugin configuration to reduce the attack surface.
  • Harden the replication topology to limit replication peers and prevent the flaw from impacting replicated data.
  • Monitor LDAP search results for anomalies that could indicate exploitation and investigate any unexpected behavior promptly.

Generated by OpenCVE AI on June 9, 2026 at 14:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat redhat Directory Server
Vendors & Products Redhat redhat Directory Server

Tue, 09 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Description A flaw was found in 389 Directory Server. The ldap_utf8prev() function reads bytes before the start of a buffer without bounds checking, causing a heap buffer over-read in string filter parsing that may influence internal filter processing behavior.
Title 389-ds-base: 389-ds-base: heap buffer over-read in ldap_utf8prev() via str2simple filter parsing
First Time appeared Redhat
Redhat directory Server
Redhat enterprise Linux
Weaknesses CWE-126
CPEs cpe:/a:redhat:directory_server:11
cpe:/a:redhat:directory_server:12
cpe:/a:redhat:directory_server:13
cpe:/o:redhat:enterprise_linux:10
cpe:/o:redhat:enterprise_linux:6
cpe:/o:redhat:enterprise_linux:7
cpe:/o:redhat:enterprise_linux:8
cpe:/o:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat directory Server
Redhat enterprise Linux
References
Metrics cvssV3_1

{'score': 5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L'}

Subscriptions

Redhat Directory Server Enterprise Linux Redhat Directory Server
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-06-09T13:30:35.749Z

Reserved: 2026-06-09T12:55:55.703Z

Link: CVE-2026-11787

cve-icon Vulnrichment

Updated: 2026-06-09T13:30:27.727Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-09T14:16:36.773

Modified: 2026-06-09T14:42:21.530

Link: CVE-2026-11787

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T20:20:44Z

Weaknesses